DLPDeidentifyTemplate
| Property | Value |
|---|---|
| Google Cloud Service Name | Cloud DLP |
| Google Cloud Service Documentation | /dlp/docs/ |
| Google Cloud REST Resource Name | projects.deidentifyTemplates |
| Google Cloud REST Resource Documentation | /dlp/docs/reference/rest/v2/projects.deidentifyTemplates |
| Config Connector Resource Short Names | gcpdlpdeidentifytemplate gcpdlpdeidentifytemplates dlpdeidentifytemplate |
| Config Connector Service Name | dlp.googleapis.com |
| Config Connector Resource Fully Qualified Name | dlpdeidentifytemplates.dlp.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
deidentifyConfig
:
infoTypeTransformations
:
transformations
:
-
infoTypes
:
-
name
:
string
primitiveTransformation
:
bucketingConfig
:
buckets
:
-
max
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
min
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
replacementValue
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
characterMaskConfig
:
charactersToIgnore
:
-
charactersToSkip
:
string
commonCharactersToIgnore
:
string
maskingCharacter
:
string
numberToMask
:
integer
reverseOrder
:
boolean
cryptoDeterministicConfig
:
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
surrogateInfoType
:
name
:
string
cryptoHashConfig
:
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
cryptoReplaceFfxFpeConfig
:
commonAlphabet
:
string
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
customAlphabet
:
string
radix
:
integer
surrogateInfoType
:
name
:
string
dateShiftConfig
:
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
lowerBoundDays
:
integer
upperBoundDays
:
integer
fixedSizeBucketingConfig
:
bucketSize
:
float
lowerBound
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
upperBound
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
redactConfig
:
{}
replaceConfig
:
newValue
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
replaceWithInfoTypeConfig
:
{}
timePartConfig
:
partToExtract
:
string
recordTransformations
:
fieldTransformations
:
-
condition
:
expressions
:
conditions
:
conditions
:
-
field
:
name
:
string
operator
:
string
value
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
logicalOperator
:
string
fields
:
-
name
:
string
infoTypeTransformations
:
transformations
:
-
infoTypes
:
-
name
:
string
primitiveTransformation
:
bucketingConfig
:
buckets
:
-
max
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
min
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
replacementValue
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
characterMaskConfig
:
charactersToIgnore
:
-
charactersToSkip
:
string
commonCharactersToIgnore
:
string
maskingCharacter
:
string
numberToMask
:
integer
reverseOrder
:
boolean
cryptoDeterministicConfig
:
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
surrogateInfoType
:
name
:
string
cryptoHashConfig
:
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
cryptoReplaceFfxFpeConfig
:
commonAlphabet
:
string
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
customAlphabet
:
string
radix
:
integer
surrogateInfoType
:
name
:
string
dateShiftConfig
:
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
lowerBoundDays
:
integer
upperBoundDays
:
integer
fixedSizeBucketingConfig
:
bucketSize
:
float
lowerBound
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
upperBound
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
redactConfig
:
{}
replaceConfig
:
newValue
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
replaceWithInfoTypeConfig
:
{}
timePartConfig
:
partToExtract
:
string
primitiveTransformation
:
bucketingConfig
:
buckets
:
-
max
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
min
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
replacementValue
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
characterMaskConfig
:
charactersToIgnore
:
-
charactersToSkip
:
string
commonCharactersToIgnore
:
string
maskingCharacter
:
string
numberToMask
:
integer
reverseOrder
:
boolean
cryptoDeterministicConfig
:
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
surrogateInfoType
:
name
:
string
cryptoHashConfig
:
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
cryptoReplaceFfxFpeConfig
:
commonAlphabet
:
string
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
customAlphabet
:
string
radix
:
integer
surrogateInfoType
:
name
:
string
dateShiftConfig
:
context
:
name
:
string
cryptoKey
:
kmsWrapped
:
cryptoKeyRef
:
external
:
string
name
:
string
namespace
:
string
wrappedKey
:
string
transient
:
name
:
string
unwrapped
:
key
:
string
lowerBoundDays
:
integer
upperBoundDays
:
integer
fixedSizeBucketingConfig
:
bucketSize
:
float
lowerBound
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
upperBound
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
redactConfig
:
{}
replaceConfig
:
newValue
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
replaceWithInfoTypeConfig
:
{}
timePartConfig
:
partToExtract
:
string
recordSuppressions
:
-
condition
:
expressions
:
conditions
:
conditions
:
-
field
:
name
:
string
operator
:
string
value
:
booleanValue
:
boolean
dateValue
:
day
:
integer
month
:
integer
year
:
integer
dayOfWeekValue
:
string
floatValue
:
float
integerValue
:
integer
stringValue
:
string
timeValue
:
hours
:
integer
minutes
:
integer
nanos
:
integer
seconds
:
integer
timestampValue
:
string
logicalOperator
:
string
transformationErrorHandling
:
leaveUntransformed
:
{}
throwError
:
{}
description
:
string
displayName
:
string
location
:
string
organizationRef
:
external
:
string
name
:
string
namespace
:
string
projectRef
:
external
:
string
name
:
string
namespace
:
string
resourceID
:
string
| Fields | |
|---|---|
| Optional |
The core content of the template. |
| Optional |
Treat the dataset as free-form text and apply the same free text transformation everywhere. |
| Required* |
Required. Transformation for each infoType. Cannot specify more than one for a given infoType. |
| Required* |
|
| Optional |
InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. |
| Optional |
|
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Required* |
Required. Primitive transformation to apply to the infoType. |
| Optional |
Bucketing |
| Optional |
Set of buckets. Ranges must be non-overlapping. |
| Optional |
|
| Optional |
Upper bound of the range, exclusive; type must match min. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Lower bound of the range, inclusive. Type should be the same as max if used. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Required* |
Required. Replacement value for this bucket. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Mask |
| Optional |
When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. |
| Optional |
|
| Optional |
Characters to not transform when masking. |
| Optional |
Common characters to not transform when masking. Useful to avoid removing punctuation. Possible values: COMMON_CHARS_TO_IGNORE_UNSPECIFIED, NUMERIC, ALPHA_UPPER_CASE, ALPHA_LOWER_CASE, PUNCTUATION, WHITESPACE |
| Optional |
Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. |
| Optional |
Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. |
| Optional |
Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. |
| Optional |
Deterministic Crypto |
| Optional |
A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. |
| Optional |
Name describing the field. |
| Optional |
The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. |
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Optional |
Crypto |
| Optional |
The key used by the hash function. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
Ffx-Fpe |
| Optional |
Common alphabets. Possible values: FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED, NUMERIC, HEXADECIMAL, UPPER_CASE_ALPHA_NUMERIC, ALPHA_NUMERIC |
| Optional |
The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| Optional |
Name describing the field. |
| Required* |
Required. The key used by the encryption algorithm. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: ``0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/`` |
| Optional |
The native way to select the alphabet. Must be in the range [2, 95]. |
| Optional |
The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE |
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Optional |
Date Shift |
| Optional |
Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. |
| Optional |
Name describing the field. |
| Optional |
Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Required* |
Required. For example, -5 means shift date to at most 5 days back in the past. |
| Required* |
Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. |
| Optional |
Fixed size bucketing |
| Required* |
Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| Required* |
Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Required* |
Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Redact |
| Optional |
Replace with a specified value. |
| Optional |
Value to replace it with. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Replace with infotype |
| Optional |
Time extraction |
| Optional |
The part of the time to keep. Possible values: TIME_PART_UNSPECIFIED, YEAR, MONTH, DAY_OF_MONTH, DAY_OF_WEEK, WEEK_OF_YEAR, HOUR_OF_DAY |
| Optional |
Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table. |
| Optional |
Transform the record by applying various field transformations. |
| Optional |
|
| Optional |
Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85. |
| Optional |
An expression. |
| Optional |
Conditions to apply to the expression. |
| Optional |
A collection of conditions. |
| Optional |
|
| Required* |
Required. Field within the record this condition is evaluated against. |
| Optional |
Name describing the field. |
| Required* |
Required. Operator used to compare the field or infoType to the value. Possible values: LOGICAL_OPERATOR_UNSPECIFIED, AND |
| Optional |
Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
The operator to apply to the result of conditions. Default and currently only supported value is `AND`. Possible values: LOGICAL_OPERATOR_UNSPECIFIED, AND |
| Required* |
Required. Input field(s) to apply the transformation to. When you have columns that reference their position within a list, omit the index from the FieldId. FieldId name matching ignores the index. For example, instead of "contact.nums[0].type", use "contact.nums.type". |
| Required* |
|
| Optional |
Name describing the field. |
| Optional |
Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`. |
| Required* |
Required. Transformation for each infoType. Cannot specify more than one for a given infoType. |
| Required* |
|
| Optional |
InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`. |
| Optional |
|
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Required* |
Required. Primitive transformation to apply to the infoType. |
| Optional |
Bucketing |
| Optional |
Set of buckets. Ranges must be non-overlapping. |
| Optional |
|
| Optional |
Upper bound of the range, exclusive; type must match min. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Lower bound of the range, inclusive. Type should be the same as max if used. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Required* |
Required. Replacement value for this bucket. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Mask |
| Optional |
When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. |
| Optional |
|
| Optional |
Characters to not transform when masking. |
| Optional |
Common characters to not transform when masking. Useful to avoid removing punctuation. Possible values: COMMON_CHARS_TO_IGNORE_UNSPECIFIED, NUMERIC, ALPHA_UPPER_CASE, ALPHA_LOWER_CASE, PUNCTUATION, WHITESPACE |
| Optional |
Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. |
| Optional |
Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. |
| Optional |
Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. |
| Optional |
Deterministic Crypto |
| Optional |
A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. |
| Optional |
Name describing the field. |
| Optional |
The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. |
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Optional |
Crypto |
| Optional |
The key used by the hash function. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
Ffx-Fpe |
| Optional |
Common alphabets. Possible values: FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED, NUMERIC, HEXADECIMAL, UPPER_CASE_ALPHA_NUMERIC, ALPHA_NUMERIC |
| Optional |
The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| Optional |
Name describing the field. |
| Required* |
Required. The key used by the encryption algorithm. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: ``0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/`` |
| Optional |
The native way to select the alphabet. Must be in the range [2, 95]. |
| Optional |
The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE |
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Optional |
Date Shift |
| Optional |
Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. |
| Optional |
Name describing the field. |
| Optional |
Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Required* |
Required. For example, -5 means shift date to at most 5 days back in the past. |
| Required* |
Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. |
| Optional |
Fixed size bucketing |
| Required* |
Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| Required* |
Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Required* |
Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Redact |
| Optional |
Replace with a specified value. |
| Optional |
Value to replace it with. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Replace with infotype |
| Optional |
Time extraction |
| Optional |
The part of the time to keep. Possible values: TIME_PART_UNSPECIFIED, YEAR, MONTH, DAY_OF_MONTH, DAY_OF_WEEK, WEEK_OF_YEAR, HOUR_OF_DAY |
| Optional |
Apply the transformation to the entire field. |
| Optional |
Bucketing |
| Optional |
Set of buckets. Ranges must be non-overlapping. |
| Optional |
|
| Optional |
Upper bound of the range, exclusive; type must match min. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Lower bound of the range, inclusive. Type should be the same as max if used. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Required* |
Required. Replacement value for this bucket. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Mask |
| Optional |
When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`. |
| Optional |
|
| Optional |
Characters to not transform when masking. |
| Optional |
Common characters to not transform when masking. Useful to avoid removing punctuation. Possible values: COMMON_CHARS_TO_IGNORE_UNSPECIFIED, NUMERIC, ALPHA_UPPER_CASE, ALPHA_LOWER_CASE, PUNCTUATION, WHITESPACE |
| Optional |
Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits. |
| Optional |
Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally. |
| Optional |
Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`. |
| Optional |
Deterministic Crypto |
| Optional |
A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. |
| Optional |
Name describing the field. |
| Optional |
The key used by the encryption function. For deterministic encryption using AES-SIV, the provided key is internally expanded to 64 bytes prior to use. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE. |
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Optional |
Crypto |
| Optional |
The key used by the hash function. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
Ffx-Fpe |
| Optional |
Common alphabets. Possible values: FFX_COMMON_NATIVE_ALPHABET_UNSPECIFIED, NUMERIC, HEXADECIMAL, UPPER_CASE_ALPHA_NUMERIC, ALPHA_NUMERIC |
| Optional |
The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2 |
| Optional |
Name describing the field. |
| Required* |
Required. The key used by the encryption algorithm. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Optional |
This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: ``0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|:;"'<,>.?/`` |
| Optional |
The native way to select the alphabet. Must be in the range [2, 95]. |
| Optional |
The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE |
| Optional |
Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. |
| Optional |
Date Shift |
| Optional |
Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context. |
| Optional |
Name describing the field. |
| Optional |
Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items. |
| Optional |
Key wrapped using Cloud KMS |
| Required* |
|
| Optional |
Required. The resource name of the KMS CryptoKey to use for unwrapping. Allowed value: The Google Cloud resource name of a `KMSCryptoKey` resource (format: `{{selfLink}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Required* |
Required. The wrapped data crypto key. |
| Optional |
Transient crypto key |
| Required* |
Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated). |
| Optional |
Unwrapped crypto key |
| Required* |
Required. A 128/192/256 bit key. |
| Required* |
Required. For example, -5 means shift date to at most 5 days back in the past. |
| Required* |
Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future. |
| Optional |
Fixed size bucketing |
| Required* |
Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. |
| Required* |
Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10". |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Required* |
Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+". |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Redact |
| Optional |
Replace with a specified value. |
| Optional |
Value to replace it with. |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
Replace with infotype |
| Optional |
Time extraction |
| Optional |
The part of the time to keep. Possible values: TIME_PART_UNSPECIFIED, YEAR, MONTH, DAY_OF_MONTH, DAY_OF_WEEK, WEEK_OF_YEAR, HOUR_OF_DAY |
| Optional |
Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output. |
| Optional |
|
| Optional |
A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content. |
| Optional |
An expression. |
| Optional |
Conditions to apply to the expression. |
| Optional |
A collection of conditions. |
| Optional |
|
| Required* |
Required. Field within the record this condition is evaluated against. |
| Optional |
Name describing the field. |
| Required* |
Required. Operator used to compare the field or infoType to the value. Possible values: LOGICAL_OPERATOR_UNSPECIFIED, AND |
| Optional |
Value to compare against. [Mandatory, except for `EXISTS` tests.] |
| Optional |
boolean |
| Optional |
date |
| Optional |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
| Optional |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
| Optional |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
| Optional |
day of week Possible values: DAY_OF_WEEK_UNSPECIFIED, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY |
| Optional |
float |
| Optional |
integer |
| Optional |
string |
| Optional |
time of day |
| Optional |
Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. |
| Optional |
Minutes of hour of day. Must be from 0 to 59. |
| Optional |
Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. |
| Optional |
Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds. |
| Optional |
timestamp |
| Optional |
The operator to apply to the result of conditions. Default and currently only supported value is `AND`. Possible values: LOGICAL_OPERATOR_UNSPECIFIED, AND |
| Optional |
Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`. |
| Optional |
Ignore errors |
| Optional |
Throw an error |
| Optional |
Short description (max 256 chars). |
| Optional |
Display name (max 256 chars). |
| Optional |
Immutable. The location of the resource |
| Optional |
Immutable. The Organization that this resource belongs to. Only one of [organizationRef, projectRef] may be specified. |
| Optional |
Allowed value: The Google Cloud resource name of a Google Cloud Organization (format: `organizations/{{name}}`). |
| Optional |
[WARNING] Organization not yet supported in Config Connector, use 'external' field to reference existing resources. Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Optional |
Immutable. The Project that this resource belongs to. Only one of [organizationRef, projectRef] may be specified. |
| Optional |
Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). |
| Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
| Optional |
Immutable. Optional. The service-generated name of the resource. Used for acquisition only. Leave unset to create a new resource. |
* Field is required when parent field is specified
Status
Schema
conditions
:
-
lastTransitionTime
:
string
message
:
string
reason
:
string
status
:
string
type
:
string
createTime
:
string
locationId
:
string
observedGeneration
:
integer
updateTime
:
string
| Fields | |
|---|---|
conditions
|
Conditions represent the latest available observation of the resource's current state. |
conditions[]
|
|
conditions[].lastTransitionTime
|
Last time the condition transitioned from one status to another. |
conditions[].message
|
Human-readable message indicating details about last transition. |
conditions[].reason
|
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status
|
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type
|
Type is the type of the condition. |
createTime
|
Output only. The creation timestamp of an inspectTemplate. |
locationId
|
Output only. The geographic location where this resource is stored. |
observedGeneration
|
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
updateTime
|
Output only. The last update timestamp of an inspectTemplate. |
Sample YAML(s)
Info Type Deidentify Template
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion
:
dlp.cnrm.cloud.google.com/v1beta1
kind
:
DLPDeidentifyTemplate
metadata
:
name
:
dlpdeidentifytemplate-sample-infotypedeidentifytemplate
spec
:
projectRef
:
# Replace "${PROJECT_ID?}" with your project ID
external
:
"projects/${PROJECT_ID?}"
displayName
:
"sample-template"
description
:
"A
sample
deidentify
template"
deidentifyConfig
:
infoTypeTransformations
:
transformations
:
-
infoTypes
:
-
name
:
"PHONE_NUMBER"
-
name
:
"AGE"
primitiveTransformation
:
replaceConfig
:
newValue
:
integerValue
:
9
-
infoTypes
:
-
name
:
"SALARY"
primitiveTransformation
:
replaceConfig
:
newValue
:
floatValue
:
192168.01
-
infoTypes
:
-
name
:
"HOME_PAGE"
primitiveTransformation
:
replaceConfig
:
newValue
:
stringValue
:
"https://www.example.com/"
-
infoTypes
:
-
name
:
"RETIRED"
primitiveTransformation
:
replaceConfig
:
newValue
:
booleanValue
:
true
-
infoTypes
:
-
name
:
"LAST_LOGIN"
primitiveTransformation
:
replaceConfig
:
newValue
:
timestampValue
:
"2014-10-02T15:01:23Z"
-
infoTypes
:
-
name
:
"START_TIME"
primitiveTransformation
:
replaceConfig
:
newValue
:
timeValue
:
hours
:
9
minutes
:
30
seconds
:
0
nanos
:
0
-
infoTypes
:
-
name
:
"DATE_OF_BIRTH"
primitiveTransformation
:
replaceConfig
:
newValue
:
dateValue
:
year
:
2020
month
:
1
day
:
1
-
infoTypes
:
-
name
:
"PAYDAY"
primitiveTransformation
:
replaceConfig
:
newValue
:
dayOfWeekValue
:
"FRIDAY"
-
infoTypes
:
-
name
:
"HEIGHT"
primitiveTransformation
:
redactConfig
:
{}
-
infoTypes
:
-
name
:
"EMAIL_ADDRESS"
-
name
:
"LAST_NAME"
primitiveTransformation
:
characterMaskConfig
:
maskingCharacter
:
"X"
numberToMask
:
4
reverseOrder
:
true
charactersToIgnore
:
-
charactersToSkip
:
"#"
-
commonCharactersToIgnore
:
"PUNCTUATION"
-
infoTypes
:
-
name
:
"HOME_ADDRESS"
primitiveTransformation
:
cryptoReplaceFfxFpeConfig
:
context
:
name
:
"sometweak"
cryptoKey
:
transient
:
name
:
"beep"
surrogateInfoType
:
name
:
"abc"
commonAlphabet
:
"NUMERIC"
-
infoTypes
:
-
name
:
"BANK_ACCOUNT_NUMBER"
primitiveTransformation
:
cryptoReplaceFfxFpeConfig
:
cryptoKey
:
unwrapped
:
key
:
"vJZQm1FyV4BdF99nlcUYNA=="
customAlphabet
:
"~`!@#$%^&*()_-+={[}]|:;\"'<,>.?/"
-
infoTypes
:
-
name
:
"BILLING_ADDRESS"
primitiveTransformation
:
cryptoReplaceFfxFpeConfig
:
cryptoKey
:
kmsWrapped
:
wrappedKey
:
"vJZQm1FyV4BdF99nlcUYNA=="
cryptoKeyRef
:
name
:
"dlpdeidentifytemplate-dep-infotypedeidentifytemplate"
radix
:
4
-
infoTypes
:
-
name
:
"FIRST_NAME"
primitiveTransformation
:
fixedSizeBucketingConfig
:
lowerBound
:
integerValue
:
7
upperBound
:
integerValue
:
9
bucketSize
:
2.5
-
infoTypes
:
-
name
:
"MIDDLE_NAME"
primitiveTransformation
:
bucketingConfig
:
buckets
:
-
min
:
integerValue
:
7
max
:
integerValue
:
9
replacementValue
:
integerValue
:
6
-
infoTypes
:
-
name
:
"EYE_COLOR"
primitiveTransformation
:
replaceWithInfoTypeConfig
:
{}
-
infoTypes
:
-
name
:
"START_DATE"
primitiveTransformation
:
timePartConfig
:
partToExtract
:
"YEAR"
-
infoTypes
:
-
name
:
"CREDIT_CARD_NUMBER"
primitiveTransformation
:
cryptoDeterministicConfig
:
context
:
name
:
"sometweak"
cryptoKey
:
transient
:
name
:
"beep"
surrogateInfoType
:
name
:
"abc"
-
infoTypes
:
-
name
:
"LAST_VACATION"
primitiveTransformation
:
dateShiftConfig
:
upperBoundDays
:
3
lowerBoundDays
:
2
context
:
name
:
"def"
cryptoKey
:
transient
:
name
:
"beep"
---
apiVersion
:
kms.cnrm.cloud.google.com/v1beta1
kind
:
KMSCryptoKey
metadata
:
name
:
dlpdeidentifytemplate-dep-infotypedeidentifytemplate
spec
:
keyRingRef
:
name
:
"dlpdeidentifytemplate-dep-infotypedeidentifytemplate"
purpose
:
"ENCRYPT_DECRYPT"
---
apiVersion
:
kms.cnrm.cloud.google.com/v1beta1
kind
:
KMSKeyRing
metadata
:
name
:
dlpdeidentifytemplate-dep-infotypedeidentifytemplate
spec
:
location
:
"global"
Record Deidentify Template
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion
:
dlp.cnrm.cloud.google.com/v1beta1
kind
:
DLPDeidentifyTemplate
metadata
:
name
:
dlpdeidentifytemplate-sample-recorddeidentifytemplate
spec
:
organizationRef
:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external
:
"organizations/${ORG_ID?}"
location
:
"us-west2"
displayName
:
"sample-template"
description
:
"A
sample
deidentify
template"
deidentifyConfig
:
recordTransformations
:
fieldTransformations
:
-
fields
:
-
name
:
"SPECIES"
condition
:
expressions
:
logicalOperator
:
"AND"
conditions
:
conditions
:
-
field
:
name
:
"BREED"
operator
:
"NOT_EQUAL_TO"
value
:
stringValue
:
"PUG"
primitiveTransformation
:
redactConfig
:
{}
