Uses the Data Loss Prevention API to de-identify sensitive data in a string by replacing matched input values with a value that you specify.
Explore further
For detailed documentation that includes this code sample, see the following:
Code sample
C#
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
using
System
;
using
System.Collections.Generic
;
using
Google.Api.Gax.ResourceNames
;
using
Google.Cloud.Dlp.V2
;
public
class
DeidentifyWithReplacement
{
public
static
DeidentifyContentResponse
Deidentify
(
string
projectId
,
string
text
,
string
replaceText
=
null
,
IEnumerable<InfoType>
infoTypes
=
null
)
{
// Instantiate the client.
var
dlp
=
DlpServiceClient
.
Create
();
// Set the info type if null.
var
infotypes
=
infoTypes
??
new
InfoType
[]
{
new
InfoType
{
Name
=
"EMAIL_ADDRESS"
}
};
// Construct the inspect config.
var
inspectConfig
=
new
InspectConfig
{
InfoTypes
=
{
infotypes
}
};
// Construct the replace value config.
var
replaceConfig
=
new
ReplaceValueConfig
{
NewValue
=
new
Value
{
StringValue
=
replaceText
??
"[email-address]"
}
};
// Construct the deidentify config using replace value config.
var
deidentifyConfig
=
new
DeidentifyConfig
{
InfoTypeTransformations
=
new
InfoTypeTransformations
{
Transformations
=
{
new
InfoTypeTransformations
.
Types
.
InfoTypeTransformation
{
InfoTypes
=
{
infotypes
},
PrimitiveTransformation
=
new
PrimitiveTransformation
{
ReplaceConfig
=
replaceConfig
}
}
},
}
};
// Construct the request.
var
request
=
new
DeidentifyContentRequest
{
ParentAsLocationName
=
new
LocationName
(
projectId
,
"global"
),
DeidentifyConfig
=
deidentifyConfig
,
InspectConfig
=
inspectConfig
,
Item
=
new
ContentItem
{
Value
=
text
}
};
// Call the API.
var
response
=
dlp
.
DeidentifyContent
(
request
);
// Check the deidentified content.
Console
.
WriteLine
(
$"Deidentified content: {response.Item. Value
}"
);
return
response
;
}
}
Go
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
(
"context"
"fmt"
"io"
dlp
"cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// deidentifyWithReplacement de-identifies sensitive data by replacing matched input values
func
deidentifyWithReplacement
(
w
io
.
Writer
,
projectID
,
inputStr
string
,
infoTypeNames
[]
string
,
replaceVal
string
)
error
{
// projectId := "your-project-id"
// inputStr := "My name is Alicia Abernathy, and my email address is aabernathy@example.com."
// infoTypeNames := []string{"EMAIL_ADDRESS"}
// replaceVal := "[email-address]"
ctx
:=
context
.
Background
()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client
,
err
:=
dlp
.
NewClient
(
ctx
)
if
err
!=
nil
{
return
err
}
// Closing the client safely cleans up background resources.
defer
client
.
Close
()
// item to be analyzed
item
:=
& dlppb
.
ContentItem
{
DataItem
:
& dlppb
.
ContentItem_Value
{
Value
:
inputStr
},
}
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
var
infoTypes
[]
*
dlppb
.
InfoType
for
_
,
v
:=
range
infoTypeNames
{
infoTypes
=
append
(
infoTypes
,
& dlppb
.
InfoType
{
Name
:
v
})
}
inspectConfig
:=
& dlppb
.
InspectConfig
{
InfoTypes
:
infoTypes
,
}
// Specify replacement string to be used for the finding.
replaceValueConfig
:=
& dlppb
.
ReplaceValueConfig
{
NewValue
:
& dlppb
.
Value
{
Type
:
& dlppb
.
Value_StringValue
{
StringValue
:
replaceVal
,
},
},
}
// Define type of de-identification as replacement.
primitiveTransformation
:=
& dlppb
.
PrimitiveTransformation_ReplaceConfig
{
ReplaceConfig
:
replaceValueConfig
,
}
// Associate de-identification type with info type.
infoTypeTransformation
:=
& dlppb
.
InfoTypeTransformations_InfoTypeTransformation
{
InfoTypes
:
infoTypes
,
PrimitiveTransformation
:
& dlppb
.
PrimitiveTransformation
{
Transformation
:
primitiveTransformation
,
},
}
deIdentifyConfig
:=
& dlppb
.
DeidentifyConfig
{
Transformation
:
& dlppb
.
DeidentifyConfig_InfoTypeTransformations
{
InfoTypeTransformations
:
& dlppb
.
InfoTypeTransformations
{
Transformations
:
[]
*
dlppb
.
InfoTypeTransformations_InfoTypeTransformation
{
infoTypeTransformation
,
},
},
},
}
// Construct the de-identification request to be sent by the client.
req
:=
& dlppb
.
DeidentifyContentRequest
{
Parent
:
fmt
.
Sprintf
(
"projects/%s/locations/global"
,
projectID
),
DeidentifyConfig
:
deIdentifyConfig
,
InspectConfig
:
inspectConfig
,
Item
:
item
,
}
// Send the request.
resp
,
err
:=
client
.
DeidentifyContent
(
ctx
,
req
)
if
err
!=
nil
{
return
err
}
// Print the results.
fmt
.
Fprintf
(
w
,
"output : %v"
,
resp
.
GetItem
().
GetValue
())
return
nil
}
Java
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
import
com.google.cloud.dlp.v2. DlpServiceClient
;
import
com.google.privacy.dlp.v2. ContentItem
;
import
com.google.privacy.dlp.v2. DeidentifyConfig
;
import
com.google.privacy.dlp.v2. DeidentifyContentRequest
;
import
com.google.privacy.dlp.v2. DeidentifyContentResponse
;
import
com.google.privacy.dlp.v2. InfoType
;
import
com.google.privacy.dlp.v2. InfoTypeTransformations
;
import
com.google.privacy.dlp.v2. InfoTypeTransformations
. InfoTypeTransformation
;
import
com.google.privacy.dlp.v2. InspectConfig
;
import
com.google.privacy.dlp.v2. LocationName
;
import
com.google.privacy.dlp.v2. PrimitiveTransformation
;
import
com.google.privacy.dlp.v2. ReplaceValueConfig
;
import
com.google.privacy.dlp.v2. Value
;
public
class
DeIdentifyWithReplacement
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
// TODO(developer): Replace these variables before running the sample.
String
projectId
=
"your-project-id"
;
String
textToInspect
=
"My name is Alicia Abernathy, and my email address is aabernathy@example.com."
;
deIdentifyWithReplacement
(
projectId
,
textToInspect
);
}
// Inspects the provided text.
public
static
void
deIdentifyWithReplacement
(
String
projectId
,
String
textToRedact
)
{
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try
(
DlpServiceClient
dlp
=
DlpServiceClient
.
create
())
{
// Specify the content to be inspected.
ContentItem
item
=
ContentItem
.
newBuilder
().
setValue
(
textToRedact
).
build
();
// Specify the type of info the inspection will look for.
// See https://cloud.google.com/dlp/docs/infotypes-reference for complete list of info types
InfoType
infoType
=
InfoType
.
newBuilder
().
setName
(
"EMAIL_ADDRESS"
).
build
();
InspectConfig
inspectConfig
=
InspectConfig
.
newBuilder
().
addInfoTypes
(
infoType
).
build
();
// Specify replacement string to be used for the finding.
ReplaceValueConfig
replaceValueConfig
=
ReplaceValueConfig
.
newBuilder
()
.
setNewValue
(
Value
.
newBuilder
().
setStringValue
(
"[email-address]"
).
build
())
.
build
();
// Define type of deidentification as replacement.
PrimitiveTransformation
primitiveTransformation
=
PrimitiveTransformation
.
newBuilder
().
setReplaceConfig
(
replaceValueConfig
).
build
();
// Associate deidentification type with info type.
InfoTypeTransformation
transformation
=
InfoTypeTransformation
.
newBuilder
()
.
addInfoTypes
(
infoType
)
.
setPrimitiveTransformation
(
primitiveTransformation
)
.
build
();
// Construct the configuration for the Redact request and list all desired transformations.
DeidentifyConfig
redactConfig
=
DeidentifyConfig
.
newBuilder
()
.
setInfoTypeTransformations
(
InfoTypeTransformations
.
newBuilder
().
addTransformations
(
transformation
))
.
build
();
// Construct the Redact request to be sent by the client.
DeidentifyContentRequest
request
=
DeidentifyContentRequest
.
newBuilder
()
.
setParent
(
LocationName
.
of
(
projectId
,
"global"
).
toString
())
.
setItem
(
item
)
.
setDeidentifyConfig
(
redactConfig
)
.
setInspectConfig
(
inspectConfig
)
.
build
();
// Use the client to send the API request.
DeidentifyContentResponse
response
=
dlp
.
deidentifyContent
(
request
);
// Parse the response and process results
System
.
out
.
println
(
"Text after redaction: "
+
response
.
getItem
().
getValue
());
}
catch
(
Exception
e
)
{
System
.
out
.
println
(
"Error during inspectString: \n"
+
e
.
toString
());
}
}
}
Node.js
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
// Imports the Google Cloud Data Loss Prevention library
const
DLP
=
require
(
' @google-cloud/dlp
'
);
// Instantiates a client
const
dlp
=
new
DLP
.
DlpServiceClient
();
// The project ID to run the API call under
// const projectId = 'my-project';
// The string to deidentify
// const string = 'My SSN is 372819127';
// The string to replace sensitive information with
// const replacement = "[REDACTED]"
async
function
deidentifyWithReplacement
()
{
// Construct deidentification request
const
item
=
{
value
:
string
};
const
request
=
{
parent
:
`projects/
${
projectId
}
/locations/global`
,
deidentifyConfig
:
{
infoTypeTransformations
:
{
transformations
:
[
{
primitiveTransformation
:
{
replaceConfig
:
{
newValue
:
{
stringValue
:
replacement
,
},
},
},
},
],
},
},
item
:
item
,
};
// Run deidentification request
const
[
response
]
=
await
dlp
.
deidentifyContent
(
request
);
const
deidentifiedItem
=
response
.
item
;
console
.
log
(
deidentifiedItem
.
value
);
}
deidentifyWithReplacement
();
PHP
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\DeidentifyContentRequest;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\InfoTypeTransformations;
use Google\Cloud\Dlp\V2\InfoTypeTransformations\InfoTypeTransformation;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\ReplaceValueConfig;
use Google\Cloud\Dlp\V2\Value;
/**
* De-identify sensitive data: Replacing matched input values.
* Uses the Data Loss Prevention API to de-identify sensitive data in a string by replacing matched input values with a value that you specify.
*
* @param string $callingProjectId The Google Cloud project id to use as a parent resource.
* @param string $string The string to deidentify (will be treated as text).
*/
function deidentify_replace(
// TODO(developer): Replace sample parameters before running the code.
string $callingProjectId,
string $string = 'My name is Alicia Abernathy, and my email address is aabernathy@example.com.'
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Specify the content to be deidentify.
$content = (new ContentItem())
->setValue($string);
// Specify the type of info the inspection will look for.
$emailAddressInfoType = (new InfoType())
->setName('EMAIL_ADDRESS');
// Create the configuration object
$inspectConfig = (new InspectConfig())
->setInfoTypes([$emailAddressInfoType]);
// Specify replacement string to be used for the finding.
$replaceValueConfig = (new ReplaceValueConfig())
->setNewValue((new Value())
->setStringValue('[email-address]'));
// Define type of deidentification as replacement.
$primitiveTransformation = (new PrimitiveTransformation())
->setReplaceConfig($replaceValueConfig);
// Associate deidentification type with info type.
$infoTypeTransformation = (new InfoTypeTransformation())
->setPrimitiveTransformation($primitiveTransformation)
->setInfoTypes([$emailAddressInfoType]);
$infoTypeTransformations = (new InfoTypeTransformations())
->setTransformations([$infoTypeTransformation]);
// Construct the configuration for the Redact request and list all desired transformations.
$deidentifyConfig = (new DeidentifyConfig())
->setInfoTypeTransformations($infoTypeTransformations);
// Run request
$deidentifyContentRequest = (new DeidentifyContentRequest())
->setParent($parent)
->setDeidentifyConfig($deidentifyConfig)
->setItem($content)
->setInspectConfig($inspectConfig);
$response = $dlp->deidentifyContent($deidentifyContentRequest);
// Print the results
printf('Deidentified content: %s' . PHP_EOL, $response->getItem()->getValue());
}
Python
To learn how to install and use the client library for Sensitive Data Protection, see Sensitive Data Protection client libraries .
To authenticate to Sensitive Data Protection, set up Application Default Credentials. For more information, see Set up authentication for a local development environment .
from
typing
import
List
import
google.cloud.dlp
def
deidentify_with_replace
(
project
:
str
,
input_str
:
str
,
info_types
:
List
[
str
],
replacement_str
:
str
=
"REPLACEMENT_STR"
,
)
-
> None
:
"""Uses the Data Loss Prevention API to deidentify sensitive data in a
string by replacing matched input values with a value you specify.
Args:
project: The Google Cloud project id to use as a parent resource.
input_str: The string to deidentify (will be treated as text).
info_types: A list of strings representing info types to look for.
replacement_str: The string to replace all values that match given
info types.
Returns:
None; the response from the API is printed to the terminal.
"""
# Instantiate a client
dlp
=
google
.
cloud
.
dlp_v2
.
DlpServiceClient
()
# Convert the project id into a full resource id.
parent
=
f
"projects/
{
project
}
/locations/global"
# Construct inspect configuration dictionary
inspect_config
=
{
"info_types"
:
[{
"name"
:
info_type
}
for
info_type
in
info_types
]}
# Construct deidentify configuration dictionary
deidentify_config
=
{
"info_type_transformations"
:
{
"transformations"
:
[
{
"primitive_transformation"
:
{
"replace_config"
:
{
"new_value"
:
{
"string_value"
:
replacement_str
}
}
}
}
]
}
}
# Construct item
item
=
{
"value"
:
input_str
}
# Call the API
response
=
dlp
.
deidentify_content
(
request
=
{
"parent"
:
parent
,
"deidentify_config"
:
deidentify_config
,
"inspect_config"
:
inspect_config
,
"item"
:
item
,
}
)
# Print out the results.
print
(
response
.
item
.
value
)
What's next
To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser .
