| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.organizations.html">organizations</a> . <a href="dlp_v2.organizations.deidentifyTemplates.html">deidentifyTemplates</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p> |
| <p class="toc_element"> |
| <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p> |
| <p class="firstline">Deletes a DeidentifyTemplate.</p> |
| <p class="toc_element"> |
| <code><a href="#get">get(name, x__xgafv=None)</a></code></p> |
| <p class="firstline">Gets a DeidentifyTemplate.</p> |
| <p class="toc_element"> |
| <code><a href="#list">list(parent, orderBy=None, pageToken=None, pageSize=None, locationId=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Lists DeidentifyTemplates.</p> |
| <p class="toc_element"> |
| <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> |
| <p class="firstline">Retrieves the next page of results.</p> |
| <p class="toc_element"> |
| <code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Updates the DeidentifyTemplate.</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="create">create(parent, body=None, x__xgafv=None)</code> |
| <pre>Creates a DeidentifyTemplate for re-using frequently used configuration |
| for de-identifying content, images, and storage. |
| See https://cloud.google.com/dlp/docs/creating-templates-deid to learn |
| more. |
| |
| Args: |
| parent: string, Required. Parent resource name. |
| - Format:projects/[PROJECT-ID] |
| - Format:organizations/[ORGANIZATION-ID] |
| - Format:projects/[PROJECT-ID]/locations/[LOCATION-ID] |
| - Format:organizations/[ORGANIZATION-ID]/locations/[LOCATION-ID] (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Request message for CreateDeidentifyTemplate. |
| "templateId": "A String", # The template id can contain uppercase and lowercase letters, |
| # numbers, and hyphens; that is, it must match the regular |
| # expression: `[a-zA-Z\\d-_]+`. The maximum length is 100 |
| # characters. Can be empty to allow the system to generate one. |
| "deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # Required. The DeidentifyTemplate to create. |
| # See https://cloud.google.com/dlp/docs/concepts-templates to learn more. |
| "name": "A String", # Output only. The template name. |
| # |
| # The template will have one of the following formats: |
| # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR |
| # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID` |
| "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // /////////////// |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default |
| # mode is `TransformationErrorHandling.ThrowError`. |
| # transformation error occurs when the requested transformation is incompatible |
| # with the data. For example, trying to de-identify an IP address using a |
| # `DateShift` transformation would result in a transformation error, since date |
| # info cannot be extracted from an IP address. |
| # Information about any incompatible transformations, and how they were |
| # handled, is returned in the response as part of the |
| # `TransformationOverviews`. |
| "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors |
| # cause an error. For example, if a `DateShift` transformation were applied |
| # an an IP address, this mode would leave the IP address unchanged in the |
| # response. |
| }, |
| "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error |
| }, |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Required. Input field(s) to apply the transformation to. |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate. |
| "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate. |
| "description": "A String", # Short description (max 256 chars). |
| "displayName": "A String", # Display name (max 256 chars). |
| }, |
| "locationId": "A String", # Deprecated. This field has no effect. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # DeidentifyTemplates contains instructions on how to de-identify content. |
| # See https://cloud.google.com/dlp/docs/concepts-templates to learn more. |
| "name": "A String", # Output only. The template name. |
| # |
| # The template will have one of the following formats: |
| # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR |
| # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID` |
| "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // /////////////// |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default |
| # mode is `TransformationErrorHandling.ThrowError`. |
| # transformation error occurs when the requested transformation is incompatible |
| # with the data. For example, trying to de-identify an IP address using a |
| # `DateShift` transformation would result in a transformation error, since date |
| # info cannot be extracted from an IP address. |
| # Information about any incompatible transformations, and how they were |
| # handled, is returned in the response as part of the |
| # `TransformationOverviews`. |
| "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors |
| # cause an error. For example, if a `DateShift` transformation were applied |
| # an an IP address, this mode would leave the IP address unchanged in the |
| # response. |
| }, |
| "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error |
| }, |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Required. Input field(s) to apply the transformation to. |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate. |
| "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate. |
| "description": "A String", # Short description (max 256 chars). |
| "displayName": "A String", # Display name (max 256 chars). |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="delete">delete(name, x__xgafv=None)</code> |
| <pre>Deletes a DeidentifyTemplate. |
| See https://cloud.google.com/dlp/docs/creating-templates-deid to learn |
| more. |
| |
| Args: |
| name: string, Required. Resource name of the organization and deidentify template to be deleted, |
| for example `organizations/433245324/deidentifyTemplates/432452342` or |
| projects/project-id/deidentifyTemplates/432452342. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A generic empty message that you can re-use to avoid defining duplicated |
| # empty messages in your APIs. A typical example is to use it as the request |
| # or the response type of an API method. For instance: |
| # |
| # service Foo { |
| # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); |
| # } |
| # |
| # The JSON representation for `Empty` is empty JSON object `{}`. |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="get">get(name, x__xgafv=None)</code> |
| <pre>Gets a DeidentifyTemplate. |
| See https://cloud.google.com/dlp/docs/creating-templates-deid to learn |
| more. |
| |
| Args: |
| name: string, Required. Resource name of the organization and deidentify template to be read, for |
| example `organizations/433245324/deidentifyTemplates/432452342` or |
| projects/project-id/deidentifyTemplates/432452342. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # DeidentifyTemplates contains instructions on how to de-identify content. |
| # See https://cloud.google.com/dlp/docs/concepts-templates to learn more. |
| "name": "A String", # Output only. The template name. |
| # |
| # The template will have one of the following formats: |
| # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR |
| # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID` |
| "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // /////////////// |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default |
| # mode is `TransformationErrorHandling.ThrowError`. |
| # transformation error occurs when the requested transformation is incompatible |
| # with the data. For example, trying to de-identify an IP address using a |
| # `DateShift` transformation would result in a transformation error, since date |
| # info cannot be extracted from an IP address. |
| # Information about any incompatible transformations, and how they were |
| # handled, is returned in the response as part of the |
| # `TransformationOverviews`. |
| "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors |
| # cause an error. For example, if a `DateShift` transformation were applied |
| # an an IP address, this mode would leave the IP address unchanged in the |
| # response. |
| }, |
| "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error |
| }, |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Required. Input field(s) to apply the transformation to. |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate. |
| "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate. |
| "description": "A String", # Short description (max 256 chars). |
| "displayName": "A String", # Display name (max 256 chars). |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list">list(parent, orderBy=None, pageToken=None, pageSize=None, locationId=None, x__xgafv=None)</code> |
| <pre>Lists DeidentifyTemplates. |
| See https://cloud.google.com/dlp/docs/creating-templates-deid to learn |
| more. |
| |
| Args: |
| parent: string, Required. Parent resource name. |
| - Format:projects/[PROJECT-ID] |
| - Format:organizations/[ORGANIZATION-ID] |
| - Format:projects/[PROJECT-ID]/locations/[LOCATION-ID] |
| - Format:organizations/[ORGANIZATION-ID]/locations/[LOCATION-ID] (required) |
| orderBy: string, Comma separated list of fields to order by, |
| followed by `asc` or `desc` postfix. This list is case-insensitive, |
| default sorting order is ascending, redundant space characters are |
| insignificant. |
| |
| Example: `name asc,update_time, create_time desc` |
| |
| Supported fields are: |
| |
| - `create_time`: corresponds to time the template was created. |
| - `update_time`: corresponds to time the template was last updated. |
| - `name`: corresponds to template's name. |
| - `display_name`: corresponds to template's display name. |
| pageToken: string, Page token to continue retrieval. Comes from previous call |
| to `ListDeidentifyTemplates`. |
| pageSize: integer, Size of the page, can be limited by server. If zero server returns |
| a page of max size 100. |
| locationId: string, Deprecated. This field has no effect. |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # Response message for ListDeidentifyTemplates. |
| "nextPageToken": "A String", # If the next page is available then the next page token to be used |
| # in following ListDeidentifyTemplates request. |
| "deidentifyTemplates": [ # List of deidentify templates, up to page_size in |
| # ListDeidentifyTemplatesRequest. |
| { # DeidentifyTemplates contains instructions on how to de-identify content. |
| # See https://cloud.google.com/dlp/docs/concepts-templates to learn more. |
| "name": "A String", # Output only. The template name. |
| # |
| # The template will have one of the following formats: |
| # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR |
| # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID` |
| "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // /////////////// |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default |
| # mode is `TransformationErrorHandling.ThrowError`. |
| # transformation error occurs when the requested transformation is incompatible |
| # with the data. For example, trying to de-identify an IP address using a |
| # `DateShift` transformation would result in a transformation error, since date |
| # info cannot be extracted from an IP address. |
| # Information about any incompatible transformations, and how they were |
| # handled, is returned in the response as part of the |
| # `TransformationOverviews`. |
| "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors |
| # cause an error. For example, if a `DateShift` transformation were applied |
| # an an IP address, this mode would leave the IP address unchanged in the |
| # response. |
| }, |
| "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error |
| }, |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Required. Input field(s) to apply the transformation to. |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate. |
| "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate. |
| "description": "A String", # Short description (max 256 chars). |
| "displayName": "A String", # Display name (max 256 chars). |
| }, |
| ], |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="list_next">list_next(previous_request, previous_response)</code> |
| <pre>Retrieves the next page of results. |
| |
| Args: |
| previous_request: The request for the previous page. (required) |
| previous_response: The response from the request for the previous page. (required) |
| |
| Returns: |
| A request object that you can call 'execute()' on to request the next |
| page. Returns None if there are no more items in the collection. |
| </pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code> |
| <pre>Updates the DeidentifyTemplate. |
| See https://cloud.google.com/dlp/docs/creating-templates-deid to learn |
| more. |
| |
| Args: |
| name: string, Required. Resource name of organization and deidentify template to be updated, for |
| example `organizations/433245324/deidentifyTemplates/432452342` or |
| projects/project-id/deidentifyTemplates/432452342. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # Request message for UpdateDeidentifyTemplate. |
| "deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # New DeidentifyTemplate value. |
| # See https://cloud.google.com/dlp/docs/concepts-templates to learn more. |
| "name": "A String", # Output only. The template name. |
| # |
| # The template will have one of the following formats: |
| # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR |
| # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID` |
| "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // /////////////// |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default |
| # mode is `TransformationErrorHandling.ThrowError`. |
| # transformation error occurs when the requested transformation is incompatible |
| # with the data. For example, trying to de-identify an IP address using a |
| # `DateShift` transformation would result in a transformation error, since date |
| # info cannot be extracted from an IP address. |
| # Information about any incompatible transformations, and how they were |
| # handled, is returned in the response as part of the |
| # `TransformationOverviews`. |
| "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors |
| # cause an error. For example, if a `DateShift` transformation were applied |
| # an an IP address, this mode would leave the IP address unchanged in the |
| # response. |
| }, |
| "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error |
| }, |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Required. Input field(s) to apply the transformation to. |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate. |
| "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate. |
| "description": "A String", # Short description (max 256 chars). |
| "displayName": "A String", # Display name (max 256 chars). |
| }, |
| "updateMask": "A String", # Mask to control which fields get updated. |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # DeidentifyTemplates contains instructions on how to de-identify content. |
| # See https://cloud.google.com/dlp/docs/concepts-templates to learn more. |
| "name": "A String", # Output only. The template name. |
| # |
| # The template will have one of the following formats: |
| # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR |
| # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID` |
| "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // /////////////// |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text |
| # transformation everywhere. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default |
| # mode is `TransformationErrorHandling.ThrowError`. |
| # transformation error occurs when the requested transformation is incompatible |
| # with the data. For example, trying to de-identify an IP address using a |
| # `DateShift` transformation would result in a transformation error, since date |
| # info cannot be extracted from an IP address. |
| # Information about any incompatible transformations, and how they were |
| # handled, is returned in the response as part of the |
| # `TransformationOverviews`. |
| "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors |
| # cause an error. For example, if a `DateShift` transformation were applied |
| # an an IP address, this mode would leave the IP address unchanged in the |
| # response. |
| }, |
| "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error |
| }, |
| }, |
| "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to |
| # specific locations within structured datasets, such as transforming |
| # a column within a table. |
| # table. |
| "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that |
| # match any suppression rule are omitted from the output. |
| { # Configuration to suppress records whose suppression conditions evaluate to |
| # true. |
| "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being |
| # evaluated to be suppressed from the transformed content. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| }, |
| ], |
| "fieldTransformations": [ # Transform the record by applying various field transformations. |
| { # The transformation to apply to the field. |
| "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively |
| # transform content that matches an `InfoType`. |
| # apply various `PrimitiveTransformation`s to each finding, where the |
| # transformation is applied to only values that were identified as a specific |
| # info_type. |
| "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one |
| # for a given infoType. |
| { # A transformation to apply to text that is identified as a specific |
| # info_type. |
| "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause |
| # this transformation to apply to all findings that correspond to |
| # infoTypes that were requested in `InspectConfig`. |
| { # Type of information detected by the API. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| ], |
| "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| }, |
| ], |
| }, |
| "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field. |
| "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift |
| # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting |
| # to learn more. |
| "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. |
| # If set, must also set cryptoKey. If set, shift will be consistent for the |
| # given context. |
| "name": "A String", # Name describing the field. |
| }, |
| "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this |
| # range (inclusive ends). Negative means shift to earlier in time. Must not |
| # be more than 365250 days (1000 years) each direction. |
| # |
| # For example, 3 means shift date to at most 3 days into the future. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This |
| # results in the same shift for the same context and crypto_key. If |
| # set, must also set context. Can only be applied to table items. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past. |
| }, |
| "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction |
| # portion of the value. |
| "partToExtract": "A String", # The part of the time to keep. |
| }, |
| "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype |
| }, |
| "replaceConfig": { # Replace each input value with a given `Value`. # Replace |
| "newValue": { # Set of primitive values supported by the system. # Value to replace it with. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto |
| # Uses SHA-256. |
| # The key size must be either 32 or 64 bytes. |
| # Outputs a base64 encoded representation of the hashed output |
| # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). |
| # Currently, only string and integer values can be hashed. |
| # See https://cloud.google.com/dlp/docs/pseudonymization to learn more. |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask |
| # fixed character. Masking can start from the beginning or end of the string. |
| # This can be used on data of any type (numbers, longs, and so on) and when |
| # de-identifying structured data we'll attempt to preserve the original data's |
| # type. (This allows you to take a long like 123 and modify it to a string like |
| # **3. |
| "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing |
| # characters. For example, if the input string is `555-555-5555` and you |
| # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP |
| # returns `***-**5-5555`. |
| { # Characters to skip when doing deidentification of a value. These will be left |
| # alone and skipped. |
| "charactersToSkip": "A String", # Characters to not transform when masking. |
| "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing |
| # punctuation. |
| }, |
| ], |
| "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be |
| # masked. Skipped characters do not count towards this tally. |
| "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an |
| # alphabetic string such as a name, or `0` for a numeric string such as ZIP |
| # code or credit card number. This string must have a length of 1. If not |
| # supplied, this value defaults to `*` for strings, and `0` for digits. |
| "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is |
| # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the |
| # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. |
| # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` |
| # is `true`, then the string `12345` is masked as `12***`. |
| }, |
| "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact |
| # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the |
| # output would be 'My phone number is '. |
| }, |
| "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing |
| # Bucketing transformation can provide all of this functionality, |
| # but requires more configuration. This message is provided as a convenience to |
| # the user for simple bucketing strategies. |
| # |
| # The transformed value will be a hyphenated string of |
| # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 |
| # all values that are within this bucket will be replaced with "10-20". |
| # |
| # This can be used on data of type: double, long. |
| # |
| # If the bound Value type differs from the type of data |
| # being transformed, we will first attempt converting the type of the data to |
| # be transformed to match the type of the bound before comparing. |
| # |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are |
| # grouped together into a single bucket; for example if `upper_bound` = 89, |
| # then all values greater than 89 are replaced with the value "89+". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are |
| # grouped together into a single bucket; for example if `lower_bound` = 10, |
| # then all values less than 10 are replaced with the value "-10". |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if |
| # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the |
| # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, |
| # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| }, |
| "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe |
| # (FPE) with the FFX mode of operation; however when used in the |
| # `ReidentifyContent` API method, it serves the opposite function by reversing |
| # the surrogate back into the original identifier. The identifier must be |
| # encoded as ASCII. For a given crypto key and context, the same identifier |
| # will be replaced with the same surrogate. Identifiers must be at least two |
| # characters long. In the case that the identifier is the empty string, it will |
| # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn |
| # more. |
| # |
| # Note: We recommend using CryptoDeterministicConfig for all use cases which |
| # do not require preserving the input alphabet space and size, plus warrant |
| # referential integrity. |
| "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom infoType followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: info_type_name(surrogate_character_count):surrogate |
| # |
| # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom infoType |
| # [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). |
| # This facilitates reversal of the surrogate when it occurs in free text. |
| # |
| # In order for inspection to work properly, the name of this infoType must |
| # not occur naturally anywhere in your data; otherwise, inspection may |
| # find a surrogate that does not correspond to an actual identifier. |
| # Therefore, choose your custom infoType name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95]. |
| "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same |
| # identifier in two different contexts won't be given the same surrogate. If |
| # the context is not set, a default tweak will be used. |
| # |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 1. the field is not present when transforming a given value, |
| # |
| # a default tweak will be used. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| # Currently, the referenced field may be of value type integer or string. |
| # |
| # The tweak is constructed as a sequence of bytes in big endian byte order |
| # such that: |
| # |
| # - a 64 bit integer is encoded followed by a single byte of value 1 |
| # - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| "name": "A String", # Name describing the field. |
| }, |
| "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters |
| # that the FFX mode natively supports. This happens before/after |
| # encryption/decryption. |
| # Each character listed must appear only once. |
| # Number of characters must be in the range [2, 95]. |
| # This must be encoded as ASCII. |
| # The order of characters does not matter. |
| # The full list of allowed characters is: |
| # <code>0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz |
| # ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/</code> |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| "commonAlphabet": "A String", # Common alphabets. |
| }, |
| "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto |
| # input. Outputs a base64 encoded representation of the encrypted output. |
| # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. |
| "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining |
| # referential integrity such that the same identifier in two different |
| # contexts will be given a distinct surrogate. The context is appended to |
| # plaintext value being encrypted. On decryption the provided context is |
| # validated against the value used during encryption. If a context was |
| # provided during encryption, same context must be provided during decryption |
| # as well. |
| # |
| # If the context is not set, plaintext would be used as is for encryption. |
| # If the context is set but: |
| # |
| # 1. there is no record present when transforming a given value or |
| # 2. the field is not present when transforming a given value, |
| # |
| # plaintext would be used as is for encryption. |
| # |
| # Note that case (1) is expected when an `InfoTypeTransformation` is |
| # applied to both structured and non-structured `ContentItem`s. |
| "name": "A String", # Name describing the field. |
| }, |
| "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. |
| # This annotation will be applied to the surrogate by prefixing it with |
| # the name of the custom info type followed by the number of |
| # characters comprising the surrogate. The following scheme defines the |
| # format: {info type name}({surrogate character count}):{surrogate} |
| # |
| # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and |
| # the surrogate is 'abc', the full replacement value |
| # will be: 'MY_TOKEN_INFO_TYPE(3):abc' |
| # |
| # This annotation identifies the surrogate when inspecting content using the |
| # custom info type 'Surrogate'. This facilitates reversal of the |
| # surrogate when it occurs in free text. |
| # |
| # Note: For record transformations where the entire cell in a table is being |
| # transformed, surrogates are not mandatory. Surrogates are used to denote |
| # the location of the token and are necessary for re-identification in free |
| # form text. |
| # |
| # In order for inspection to work properly, the name of this info type must |
| # not occur naturally anywhere in your data; otherwise, inspection may either |
| # |
| # - reverse a surrogate that does not correspond to an actual identifier |
| # - be unable to parse the surrogate and result in an error |
| # |
| # Therefore, choose your custom info type name carefully after considering |
| # what your data looks like. One way to select a name that has a high chance |
| # of yielding reliable detection is to include one or more unicode characters |
| # that are highly improbable to exist in your data. |
| # For example, assuming your data is entered from a regular ASCII keyboard, |
| # the symbol with the hex code point 29DD might be used like so: |
| # ⧝MY_TOKEN_TYPE. |
| "name": "A String", # Name of the information type. Either a name of your choosing when |
| # creating a CustomInfoType, or one of the names listed |
| # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying |
| # a built-in type. When sending Cloud DLP results to Data Catalog, infoType |
| # names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| }, |
| "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function. |
| # a key encryption key (KEK) stored by KMS). |
| # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate |
| # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot |
| # unwrap the data crypto key. |
| "transient": { # Use this to have a random data crypto key generated. # Transient crypto key |
| # It will be discarded after the request finishes. |
| "name": "A String", # Required. Name of the key. |
| # This is an arbitrary string used to differentiate different keys. |
| # A unique key is generated per name: two separate `TransientCryptoKey` |
| # protos share the same generated key if their names are the same. |
| # When the data crypto key is generated, this name is not used in any way |
| # (repeating the api call will result in a different key being generated). |
| }, |
| "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key |
| # The wrapped key must be a 128/192/256 bit key. |
| # Authorization requires the following IAM permissions when sending a request |
| # to perform a crypto transformation using a kms-wrapped crypto key: |
| # dlp.kms.encrypt |
| "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping. |
| "wrappedKey": "A String", # Required. The wrapped data crypto key. |
| }, |
| "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key |
| # leaking the key. Choose another type of key if possible. |
| "key": "A String", # Required. A 128/192/256 bit key. |
| }, |
| }, |
| }, |
| "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing |
| # replacement values are dynamically provided by the user for custom behavior, |
| # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH |
| # This can be used on |
| # data of type: number, long, string, timestamp. |
| # If the bound `Value` type differs from the type of data being transformed, we |
| # will first attempt converting the type of the data to be transformed to match |
| # the type of the bound before comparing. |
| # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. |
| "buckets": [ # Set of buckets. Ranges must be non-overlapping. |
| { # Bucket is represented as a range, along with replacement values. |
| "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "replacementValue": { # Set of primitive values supported by the system. # Required. Replacement value for this bucket. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if |
| # used. |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| }, |
| ], |
| }, |
| }, |
| "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the |
| # given `RecordCondition`. The conditions are allowed to reference fields |
| # that are not used in the actual transformation. |
| # |
| # Example Use Cases: |
| # |
| # - Apply a different bucket transformation to an age column if the zip code |
| # column for the same record is within a specific range. |
| # - Redact a field if the date of birth field is greater than 85. |
| # a field. |
| "expressions": { # An expression, consisting or an operator and conditions. # An expression. |
| "conditions": { # A collection of conditions. # Conditions to apply to the expression. |
| "conditions": [ # A collection of conditions. |
| { # The field type of `value` and `field` do not need to match to be |
| # considered equal, but not all comparisons are possible. |
| # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, |
| # but all other comparisons are invalid with incompatible types. |
| # A `value` of type: |
| # |
| # - `string` can be compared against all other types |
| # - `boolean` can only be compared against other booleans |
| # - `integer` can be compared against doubles or a string if the string value |
| # can be parsed as an integer. |
| # - `double` can be compared against integers or a string if the string can |
| # be parsed as a double. |
| # - `Timestamp` can be compared against strings in RFC 3339 date string |
| # format. |
| # - `TimeOfDay` can be compared against timestamps and strings in the format |
| # of 'HH:mm:ss'. |
| # |
| # If we fail to compare do to type mismatch, a warning will be given and |
| # the condition will evaluate to false. |
| "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against. |
| "name": "A String", # Name describing the field. |
| }, |
| "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| # Note that for the purposes of inspection or transformation, the number |
| # of bytes considered to comprise a 'Value' is based on its representation |
| # as a UTF-8 encoded string. For example, if 'integer_value' is set to |
| # 123456789, the number of bytes would be counted as 9, even though an |
| # int64 only holds up to 8 bytes of data. |
| "integerValue": "A String", # integer |
| "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day |
| # or are specified elsewhere. An API may choose to allow leap seconds. Related |
| # types are google.type.Date and `google.protobuf.Timestamp`. |
| "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may |
| # allow the value 60 if it allows leap-seconds. |
| "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| "minutes": 42, # Minutes of hour of day. Must be from 0 to 59. |
| "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose |
| # to allow the value "24:00:00" for scenarios like business closing time. |
| }, |
| "dayOfWeekValue": "A String", # day of week |
| "floatValue": 3.14, # float |
| "stringValue": "A String", # string |
| "timestampValue": "A String", # timestamp |
| "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date |
| # and time zone are either specified elsewhere or are not significant. The date |
| # is relative to the Proleptic Gregorian Calendar. This can represent: |
| # |
| # * A full date, with non-zero year, month and day values |
| # * A month and day value, with a zero year, e.g. an anniversary |
| # * A year on its own, with zero month and day values |
| # * A year and month value, with a zero day, e.g. a credit card expiration date |
| # |
| # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. |
| "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a |
| # month and day. |
| "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without |
| # a year. |
| "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0 |
| # if specifying a year by itself or a year and month where the day is not |
| # significant. |
| }, |
| "booleanValue": True or False, # boolean |
| }, |
| "operator": "A String", # Required. Operator used to compare the field or infoType to the value. |
| }, |
| ], |
| }, |
| "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently |
| # only supported value is `AND`. |
| }, |
| }, |
| "fields": [ # Required. Input field(s) to apply the transformation to. |
| { # General identifier of a data field in a storage service. |
| "name": "A String", # Name describing the field. |
| }, |
| ], |
| }, |
| ], |
| }, |
| }, |
| "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate. |
| "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate. |
| "description": "A String", # Short description (max 256 chars). |
| "displayName": "A String", # Display name (max 256 chars). |
| }</pre> |
| </div> |
| |
| </body></html> |
