Creating Cloud DLP inspection jobs and job triggers

This topic describes in detail how to create a new job or job trigger. For a quick walkthrough of how to create a new job trigger using the Cloud DLP UI, see Quickstart creating a Cloud DLP job trigger.

About jobs and job triggers

A job is an action that Cloud Data Loss Prevention (DLP) runs to scan content for sensitive data. Cloud DLP creates and runs a job resource whenever you tell it to inspect your data.

You can schedule when Cloud DLP runs jobs by creating job triggers. A job trigger is an event that automates the creation of DLP jobs to scan Google Cloud Platform storage repositories, including Cloud Storage buckets, BigQuery tables, and Cloud Datastore kinds.

For conceptual information about jobs and job triggers in Cloud DLP, see Jobs and job triggers.

Create a new job or job trigger

To create a new Cloud DLP job or job trigger:

Console

  1. In the GCP Console, open Cloud DLP.

    Go to Cloud DLP UI Beta

  2. From the Create menu, choose Job or job trigger.

    Screenshot of DLP UI with Create menu > Jobs or job triggers
        selected.

    Alternatively, click the following button:

    Create new job trigger

The Create job or job trigger page contains the following sections:

  1. Choose input data
  2. Configure detection
  3. Add actions
  4. Schedule
  5. Review

Choose input data

  1. On the Create job or job trigger page, first enter a name for the job or job trigger. You can use letters, numbers, and hyphens.
  2. Next, from the Storage type menu, choose what kind of repository stores the data you want to scan—Cloud Storage, BigQuery, or Cloud Datastore:
    • For Cloud Storage, either enter the URL of the bucket you want to scan, or choose Include/exclude from the Location type menu, and then click Browse to navigate to the bucket or subfolder you want to scan. Select the Scan folder recursively checkbox to scan the specified directory and all contained directories. Leave it unselected to scan only the specified directory and no deeper.
    • For BigQuery, enter the identifiers for the project, dataset, and table that you want to scan.
    • For Cloud Datastore, enter the identifiers for the project, namespace, and kind that you want to scan.
  3. To enter advanced configuration details, click Show Advanced Configuration and continue on into the next section. Be aware that advanced configuration is only available for scans of Cloud Storage buckets and BigQuery tables.

Once you're finished specifying the data location and any advanced configuration details, you can continue fine-tuning the job or job trigger by clicking Continue, or you can create the job immediately by clicking Create.

Advanced configuration

When you create a job or job trigger for a scan of Cloud Storage buckets or BigQuery tables, you can narrow your search by specifying an advanced configuration. Specifically, you can configure:

  • Files (Cloud Storage only): The file types to scan for, which include text, binary, and image files. You can also specify a regular expression (regex) to include or exclude files that match one or more file patterns.
  • Identifying fields (BigQuery only): Unique row identifiers within the table.
  • Sampling: Whether to use sampling to scan only a portion of the rows or files, as well as the percentage of files in the input location to scan.
Files

For files stored in Cloud Storage, you can specify the types to include in your scan under Files.

Screenshot of DLP UI with File types menu open.

You can choose from binary, text, and image files. An exhaustive list of file extensions that Cloud DLP can scan in Cloud Storage buckets is included on the API reference page for FileType. Be aware that choosing Binary causes Cloud DLP to scan files of types that are unrecognized.

Under Include paths, you can specify one or more regexes to scan only files within the bucket that match the given pattern. If no path is provided, all file types will be scanned.

Under Exclude paths, you can specify one or more regexes to skip files within the bucket that match the given pattern. If no path is provided, all file types will be scanned.

To add a regex to either include or exclude, click Add Include/Exclude Regex and enter the regex in the field. You can add as many fields as you want. To remove a field, click Delete item (the trashcan icon) next to the field you want to delete.

Identifying fields

For tables in BigQuery, under Identifying fields you can direct Cloud DLP to scan only rows that have values in a specific field or fields.

Screenshot of the DLP UI's Identifying fields section with one input
          field visible.

To add a field, click Add identifying field. Enter the field name, using dot notation to specify nested fields, if necessary.

You can add as many fields as you want. To remove a field, click Delete item (the trashcan icon) next to the field you want to delete.

Sampling

Under Sampling, you can choose whether to scan all the selected data or to sample the data by scanning a certain percentage. Sampling works differently depending on the type of storage repository you're scanning:

  • For BigQuery, this samples a subset of the total selected rows, corresponding to the percentage of files you specify to include in the scan.

    Screenshot of the DLP UI's Sampling section for BigQuery.

  • For Cloud Storage, if any file exceeds the size specified in the Max byte size to scan per file, Cloud DLP scans it up to that maximum file size and then moves on to the next file.

    Screenshot of the DLP UI's Sampling section for Cloud Storage.

To turn on sampling, choose one of the following options from the top menu:

  • Top: Cloud DLP starts the partial scan at the beginning of the data. For BigQuery, this starts the scan at the first row. For Cloud Storage, this starts the scan at the beginning of the each file, and stops scanning once Cloud DLP has scanned up to any specified maximum file size (see above).
  • Random start: Cloud DLP starts the partial scan at a random location within the data. For BigQuery, this starts the scan at a random row. For Cloud Storage, this setting only applies to files that exceed any specified maximum size. Cloud DLP scans files under the maximum file size in their entirety, and scans files above the maximum file size up to the maximum.

To perform a partial scan, you must also choose what percentage of the data you want to scan. Use the slider to set the percentage.

Configure detection

The Configure detection section is where you specify the types of sensitive data you want to scan for.

Template

You can optionally use a template to reuse configuration information you've specified previously.

If you have already created a template, click in the Template name field to see a list of existing templates. Choose or type the name of the template you want to use.

For more information about creating templates, see Creating Cloud DLP inspection templates.

InfoTypes

InfoType detectors find sensitive data of a certain type. For example, the Cloud DLP US_SOCIAL_SECURITY_NUMBER infoType detector finds US Social Security numbers.

Screenshot of the DLP UI's InfoTypes section in Create job or job
          trigger.

Under InfoTypes, choose the infoType detector that corresponds to a data type you want to scan for. You can also leave this field blank to scan for all default infoTypes. More information about each detector is provided in InfoType detector reference.

Confidence threshold

Every time Cloud DLP detects a potential match for sensitive data, it assigns it a likelihood value on a scale from "Very unlikely" to "Very likely." When you set a likelihood value here, you are instructing Cloud DLP to only match on data that corresponds to that likelihood value or higher.

Screenshot of the DLP UI's Confidence threshold section in Create job
          or job trigger.

The default value of "Possible" is sufficient for most purposes. If you routinely get matches that are too broad, move the slider up. If you get too few matches, move the slider down.

When you're done, click Continue.

Add actions

In the Add actions step, you select the action or actions you want Cloud DLP to take after the job completes.

Screenshot of the DLP UI's Add actions section.

Your choices are:

  • Publish to Pub/Sub: This option sends a notification message to a Cloud Pub/Sub when the job completes. Click New Topic to specify one or more topic names to which you want to publish the notification.
  • Save to BigQuery: This option saves findings to a BigQuery table. The findings that are stored in BigQuery contain details about each finding's location and match likelihood. If you don't store findings, the completed job will only contain statistics about the number and infoTypes of the findings. If you don't specify a table ID, BigQuery assigns a default name to a new table. If you specify an existing table, findings are appended to it. Choose the Include quote checkbox to include contextual text in each match result.
  • Publish to Google Cloud Security Command Center: This option publishes a summary of your results to Cloud SCC. For more information, see Sending Cloud DLP scan results to Cloud SCC.
  • Notify by email: This option causes Cloud DLP to send an email to project owners and editors when the job completes.

When you're done selecting actions, click Continue.

Schedule

In the Schedule section, you can do two things:

  • Specify time span: This option limits the files or rows to scan by date. Click Start time to specify the earliest file timestamp to include. Leave this value blank to specify all files. Click End time to specify the latest file timestamp to include. Leave this value blank to specify no upper timestamp limit.
  • Create a trigger to run the job on a periodic schedule: This option creates the job trigger, and sets it to run the job you've specified on a periodic schedule. The default value is also the minimum value: 24 hours. The maximum value is 60 days. If you only want Cloud DLP to scan new files or rows, select the Limit scans only to new content checkbox.

Screenshot of DLP UI's Schedule section in Create a job or job
          trigger.

Review

The Review section contains a JSON-formatted summary of the job settings you just specified.

Click Create to create the job trigger (if you specified a schedule) or job (if you didn't specify a schedule) and to run the job. The job or job trigger's information page appears, which contains status and other information. If the job is currently running, you can click the Cancel button to stop it. You can also delete the job or job trigger by clicking Delete.

To return to the main Cloud DLP page, click the Back arrow in the GCP Console.

Protocol

A job trigger is represented in the DLP API by the JobTrigger resource. You can create a new job trigger by using the JobTrigger resource's projects.jobTriggers.create method.

This sample JSON can be sent in a POST request to the specified Cloud DLP REST endpoint. This example JSON demonstrates how to create a job trigger in Cloud DLP. The job that this trigger will kick off is a Cloud Datastore inspection scan. The job trigger that is created runs every 86,400 seconds (or 24 hours).

To quickly try this out, you can use the APIs Explorer. Keep in mind that a successful request, even one created in APIs Explorer, will create a new scheduled job trigger. For general information about using JSON to send requests to the Cloud DLP API, see the JSON quickstart.

JSON Input:

POST https://dlp.googleapis.com/v2/projects/[PROJECT_ID]/jobTriggers?key={YOUR_API_KEY}

{
  "jobTrigger":{
    "displayName":"JobTrigger1",
    "description":"Starts a DLP scan job of a Datastore kind",
    "triggers":[
      {
        "schedule":{
          "recurrencePeriodDuration":"86400s"
        }
      }
    ],
    "status":"HEALTHY",
    "inspectJob":{
      "storageConfig":{
        "datastoreOptions":{
          "kind":{
            "name":"Example-Kind"
          },
          "partitionId":{
            "projectId":"[PROJECT_ID]",
            "namespaceId":"[NAMESPACE_ID]"
          }
        }
      },
      "inspectConfig":{
        "infoTypes":[
          {
            "name":"PHONE_NUMBER"
          }
        ],
        "excludeInfoTypes":false,
        "includeQuote":true,
        "minLikelihood":"LIKELY"
      },
      "actions":[
        {
          "saveFindings":{
            "outputConfig":{
              "table":{
                "projectId":"[PROJECT_ID]",
                "datasetId":"[BIGQUERY_DATASET_NAME]",
                "tableId":"[BIGQUERY_TABLE_NAME]"
              }
            }
          }
        }
      ]
    }
  }
}

JSON Output:

The following output indicates that the job trigger was successfully created.

{
  "name":"projects/[PROJECT_ID]/jobTriggers/[JOB_TRIGGER_NAME]",
  "displayName":"JobTrigger1",
  "description":"Starts a DLP scan job of a Datastore kind",
  "inspectJob":{
    "storageConfig":{
      "datastoreOptions":{
        "partitionId":{
          "projectId":"[PROJECT_ID]",
          "namespaceId":"[NAMESPACE_ID]"
        },
        "kind":{
          "name":"Example-Kind"
        }
      }
    },
    "inspectConfig":{
      "infoTypes":[
        {
          "name":"PHONE_NUMBER"
        }
      ],
      "minLikelihood":"LIKELY",
      "limits":{

      },
      "includeQuote":true
    },
    "actions":[
      {
        "saveFindings":{
          "outputConfig":{
            "table":{
              "projectId":"[PROJECT_ID]",
              "datasetId":"[BIGQUERY_DATASET_NAME]",
              "tableId":"[BIGQUERY_TABLE_NAME]"
            }
          }
        }
      }
    ]
  },
  "triggers":[
    {
      "schedule":{
        "recurrencePeriodDuration":"86400s"
      }
    }
  ],
  "createTime":"2018-11-30T01:52:41.171857Z",
  "updateTime":"2018-11-30T01:52:41.171857Z",
  "status":"HEALTHY"
}

Java

/**
 * Schedule a DLP inspection trigger for a GCS location.
 *
 * @param triggerId (Optional) name of the trigger to be created
 * @param displayName (Optional) display name for the trigger to be created
 * @param description (Optional) description for the trigger to be created
 * @param autoPopulateTimespan If true, limits scans to new content only.
 * @param scanPeriod How often to wait between scans, in days (minimum = 1 day)
 * @param infoTypes infoTypes of information to match eg. InfoType.PHONE_NUMBER,
 *     InfoType.EMAIL_ADDRESS
 * @param minLikelihood minimum likelihood required before returning a match
 * @param maxFindings maximum number of findings to report per request (0 = server maximum)
 * @param projectId The project ID to run the API call under
 */
private static void createTrigger(
    String triggerId,
    String displayName,
    String description,
    String bucketName,
    String fileName,
    boolean autoPopulateTimespan,
    int scanPeriod,
    List<InfoType> infoTypes,
    Likelihood minLikelihood,
    int maxFindings,
    String projectId)
    throws Exception {

  // instantiate a client
  DlpServiceClient dlpServiceClient = DlpServiceClient.create();
  try {

    CloudStorageOptions cloudStorageOptions =
        CloudStorageOptions.newBuilder()
            .setFileSet(
                CloudStorageOptions.FileSet.newBuilder()
                    .setUrl("gs://" + bucketName + "/" + fileName))
            .build();

    TimespanConfig timespanConfig = TimespanConfig.newBuilder()
        .setEnableAutoPopulationOfTimespanConfig(autoPopulateTimespan).build();

    StorageConfig storageConfig =
        StorageConfig.newBuilder().setCloudStorageOptions(cloudStorageOptions)
            .setTimespanConfig(timespanConfig).build();

    InspectConfig.FindingLimits findingLimits =
        InspectConfig.FindingLimits.newBuilder().setMaxFindingsPerRequest(maxFindings).build();

    InspectConfig inspectConfig =
        InspectConfig.newBuilder()
            .addAllInfoTypes(infoTypes)
            .setMinLikelihood(minLikelihood)
            .setLimits(findingLimits)
            .build();

    InspectJobConfig inspectJobConfig =
        InspectJobConfig.newBuilder()
            .setInspectConfig(inspectConfig)
            .setStorageConfig(storageConfig)
            .build();

    // Schedule scan of GCS bucket every scanPeriod number of days (minimum = 1 day)
    Duration duration = Duration.newBuilder().setSeconds(scanPeriod * 24 * 3600).build();
    Schedule schedule = Schedule.newBuilder().setRecurrencePeriodDuration(duration).build();
    JobTrigger.Trigger trigger = JobTrigger.Trigger.newBuilder().setSchedule(schedule).build();
    JobTrigger jobTrigger =
        JobTrigger.newBuilder()
            .setInspectJob(inspectJobConfig)
            .setName(triggerId)
            .setDisplayName(displayName)
            .setDescription(description)
            .setStatus(JobTrigger.Status.HEALTHY)
            .addTriggers(trigger)
            .build();

    // Create scan request
    CreateJobTriggerRequest createJobTriggerRequest =
        CreateJobTriggerRequest.newBuilder()
            .setParent(ProjectName.of(projectId).toString())
            .setJobTrigger(jobTrigger)
            .build();

    JobTrigger createdJobTrigger = dlpServiceClient.createJobTrigger(createJobTriggerRequest);

    System.out.println("Created Trigger: " + createdJobTrigger.getName());
  } catch (Exception e) {
    System.out.println("Error creating trigger: " + e.getMessage());
  }
}

Node.js

// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');

// Instantiates a client
const dlp = new DLP.DlpServiceClient();

// The project ID to run the API call under
// const callingProjectId = process.env.GCLOUD_PROJECT;

// (Optional) The name of the trigger to be created.
// const triggerId = 'my-trigger';

// (Optional) A display name for the trigger to be created
// const displayName = 'My Trigger';

// (Optional) A description for the trigger to be created
// const description = "This is a sample trigger.";

// The name of the bucket to scan.
// const bucketName = 'YOUR-BUCKET';

// Limit scan to new content only.
// const autoPopulateTimespan = true;

// How often to wait between scans, in days (minimum = 1 day)
// const scanPeriod = 1;

// The infoTypes of information to match
// const infoTypes = [{ name: 'PHONE_NUMBER' }, { name: 'EMAIL_ADDRESS' }, { name: 'CREDIT_CARD_NUMBER' }];

// The minimum likelihood required before returning a match
// const minLikelihood = 'LIKELIHOOD_UNSPECIFIED';

// The maximum number of findings to report per request (0 = server maximum)
// const maxFindings = 0;

// Get reference to the bucket to be inspected
const storageItem = {
  cloudStorageOptions: {
    fileSet: {url: `gs://${bucketName}/*`},
  },
  timeSpanConfig: {
    enableAutoPopulationOfTimespanConfig: autoPopulateTimespan,
  },
};

// Construct job to be triggered
const job = {
  inspectConfig: {
    infoTypes: infoTypes,
    minLikelihood: minLikelihood,
    limits: {
      maxFindingsPerRequest: maxFindings,
    },
  },
  storageConfig: storageItem,
};

// Construct trigger creation request
const request = {
  parent: dlp.projectPath(callingProjectId),
  jobTrigger: {
    inspectJob: job,
    displayName: displayName,
    description: description,
    triggers: [
      {
        schedule: {
          recurrencePeriodDuration: {
            seconds: scanPeriod * 60 * 60 * 24, // Trigger the scan daily
          },
        },
      },
    ],
    status: 'HEALTHY',
  },
  triggerId: triggerId,
};

try {
  // Run trigger creation request
  const [trigger] = await dlp.createJobTrigger(request);
  console.log(`Successfully created trigger ${trigger.name}.`);
} catch (err) {
  console.log(`Error in createTrigger: ${err.message || err}`);
}

Python

def create_trigger(project, bucket, scan_period_days, info_types,
                   trigger_id=None, display_name=None, description=None,
                   min_likelihood=None, max_findings=None,
                   auto_populate_timespan=False):
    """Creates a scheduled Data Loss Prevention API inspect_content trigger.
    Args:
        project: The Google Cloud project id to use as a parent resource.
        bucket: The name of the GCS bucket to scan. This sample scans all
            files in the bucket using a wildcard.
        scan_period_days: How often to repeat the scan, in days.
            The minimum is 1 day.
        info_types: A list of strings representing info types to look for.
            A full list of info type categories can be fetched from the API.
        trigger_id: The id of the trigger. If omitted, an id will be randomly
            generated.
        display_name: The optional display name of the trigger.
        description: The optional description of the trigger.
        min_likelihood: A string representing the minimum likelihood threshold
            that constitutes a match. One of: 'LIKELIHOOD_UNSPECIFIED',
            'VERY_UNLIKELY', 'UNLIKELY', 'POSSIBLE', 'LIKELY', 'VERY_LIKELY'.
        max_findings: The maximum number of findings to report; 0 = no maximum.
        auto_populate_timespan: Automatically populates time span config start
            and end times in order to scan new content only.
    Returns:
        None; the response from the API is printed to the terminal.
    """

    # Import the client library
    import google.cloud.dlp

    # Instantiate a client.
    dlp = google.cloud.dlp.DlpServiceClient()

    # Prepare info_types by converting the list of strings into a list of
    # dictionaries (protos are also accepted).
    info_types = [{'name': info_type} for info_type in info_types]

    # Construct the configuration dictionary. Keys which are None may
    # optionally be omitted entirely.
    inspect_config = {
        'info_types': info_types,
        'min_likelihood': min_likelihood,
        'limits': {'max_findings_per_request': max_findings},
    }

    # Construct a cloud_storage_options dictionary with the bucket's URL.
    url = 'gs://{}/*'.format(bucket)
    storage_config = {
        'cloud_storage_options': {
            'file_set': {'url': url}
        },
        # Time-based configuration for each storage object.
        'timespan_config': {
            # Auto-populate start and end times in order to scan new objects
            # only.
            'enable_auto_population_of_timespan_config': auto_populate_timespan
        },
    }

    # Construct the job definition.
    job = {
        'inspect_config': inspect_config,
        'storage_config': storage_config,
    }

    # Construct the schedule definition:
    schedule = {
        'recurrence_period_duration': {
            'seconds': scan_period_days * 60 * 60 * 24,
        }
    }

    # Construct the trigger definition.
    job_trigger = {
        'inspect_job': job,
        'display_name': display_name,
        'description': description,
        'triggers': [
            {'schedule': schedule}
        ],
        'status': 'HEALTHY'
    }

    # Convert the project id into a full resource id.
    parent = dlp.project_path(project)

    # Call the API.
    response = dlp.create_job_trigger(
        parent, job_trigger=job_trigger, trigger_id=trigger_id)

    print('Successfully created trigger {}'.format(response.name))

Go


// createTrigger creates a trigger with the given configuration.
func createTrigger(w io.Writer, client *dlp.Client, project string, minLikelihood dlppb.Likelihood, maxFindings int32, triggerID, displayName, description, bucketName string, autoPopulateTimespan bool, scanPeriodDays int64, infoTypes []string) {
	// Convert the info type strings to a list of InfoTypes.
	var i []*dlppb.InfoType
	for _, it := range infoTypes {
		i = append(i, &dlppb.InfoType{Name: it})
	}

	// Create a configured request.
	req := &dlppb.CreateJobTriggerRequest{
		Parent:    "projects/" + project,
		TriggerId: triggerID,
		JobTrigger: &dlppb.JobTrigger{
			DisplayName: displayName,
			Description: description,
			Status:      dlppb.JobTrigger_HEALTHY,
			// Triggers control when the job will start.
			Triggers: []*dlppb.JobTrigger_Trigger{
				{
					Trigger: &dlppb.JobTrigger_Trigger_Schedule{
						Schedule: &dlppb.Schedule{
							Option: &dlppb.Schedule_RecurrencePeriodDuration{
								RecurrencePeriodDuration: &duration.Duration{
									Seconds: scanPeriodDays * 60 * 60 * 24, // Days to seconds.
								},
							},
						},
					},
				},
			},
			// Job configures the job to run when the trigger runs.
			Job: &dlppb.JobTrigger_InspectJob{
				InspectJob: &dlppb.InspectJobConfig{
					InspectConfig: &dlppb.InspectConfig{
						InfoTypes:     i,
						MinLikelihood: minLikelihood,
						Limits: &dlppb.InspectConfig_FindingLimits{
							MaxFindingsPerRequest: maxFindings,
						},
					},
					StorageConfig: &dlppb.StorageConfig{
						Type: &dlppb.StorageConfig_CloudStorageOptions{
							CloudStorageOptions: &dlppb.CloudStorageOptions{
								FileSet: &dlppb.CloudStorageOptions_FileSet{
									Url: "gs://" + bucketName + "/*",
								},
							},
						},
						// Time-based configuration for each storage object. See more at
						// https://cloud.google.com/dlp/docs/reference/rest/v2/InspectJobConfig#TimespanConfig
						TimespanConfig: &dlppb.StorageConfig_TimespanConfig{
							// Auto-populate start and end times in order to scan new objects only.
							EnableAutoPopulationOfTimespanConfig: autoPopulateTimespan,
						},
					},
				},
			},
		},
	}
	// Send the request.
	resp, err := client.CreateJobTrigger(context.Background(), req)
	if err != nil {
		log.Fatalf("error creating job trigger: %v", err)
	}
	fmt.Fprintf(w, "Successfully created trigger: %v", resp.GetName())
}

PHP

/**
 * Create a Data Loss Prevention API job trigger.
 */
use Google\Cloud\Dlp\V2\DlpServiceClient;
use Google\Cloud\Dlp\V2\JobTrigger;
use Google\Cloud\Dlp\V2\JobTrigger\Trigger;
use Google\Cloud\Dlp\V2\JobTrigger\Status;
use Google\Cloud\Dlp\V2\InspectConfig;
use Google\Cloud\Dlp\V2\InspectJobConfig;
use Google\Cloud\Dlp\V2\Schedule;
use Google\Cloud\Dlp\V2\CloudStorageOptions;
use Google\Cloud\Dlp\V2\CloudStorageOptions_FileSet;
use Google\Cloud\Dlp\V2\StorageConfig;
use Google\Cloud\Dlp\V2\StorageConfig_TimespanConfig;
use Google\Cloud\Dlp\V2\InfoType;
use Google\Cloud\Dlp\V2\Likelihood;
use Google\Cloud\Dlp\V2\InspectConfig\FindingLimits;
use Google\Protobuf\Duration;

/** Uncomment and populate these variables in your code */
// $callingProjectId = 'The project ID to run the API call under';
// $bucketName = 'The name of the bucket to scan';
// $triggerId = '';   // (Optional) The name of the trigger to be created';
// $displayName = ''; // (Optional) The human-readable name to give the trigger';
// $description = ''; // (Optional) A description for the trigger to be created';
// $scanPeriod = 1; // (Optional) How often to wait between scans, in days (minimum = 1 day)
// $autoPopulateTimespan = true; // (Optional) Automatically limit scan to new content only
// $maxFindings = 0; // (Optional) The maximum number of findings to report per request (0 = server maximum)

// Instantiate a client.
$dlp = new DlpServiceClient();

// ----- Construct job config -----
// The infoTypes of information to match
$personNameInfoType = (new InfoType())
    ->setName('PERSON_NAME');
$phoneNumberInfoType = (new InfoType())
    ->setName('PHONE_NUMBER');
$infoTypes = [$personNameInfoType, $phoneNumberInfoType];

// The minimum likelihood required before returning a match
$minLikelihood = likelihood::LIKELIHOOD_UNSPECIFIED;

// Specify finding limits
$limits = (new FindingLimits())
    ->setMaxFindingsPerRequest($maxFindings);

// Create the inspectConfig object
$inspectConfig = (new InspectConfig())
    ->setMinLikelihood($minLikelihood)
    ->setLimits($limits)
    ->setInfoTypes($infoTypes);

// Create triggers
$duration = (new Duration())
    ->setSeconds($scanPeriod * 60 * 60 * 24);

$schedule = (new Schedule())
    ->setRecurrencePeriodDuration($duration);

$triggerObject = (new Trigger())
    ->setSchedule($schedule);

// Create the storageConfig object
$fileSet = (new CloudStorageOptions_FileSet())
    ->setUrl('gs://' . $bucketName . '/*');

$storageOptions = (new CloudStorageOptions())
    ->setFileSet($fileSet);

// Auto-populate start and end times in order to scan new objects only.
$timespanConfig = (new StorageConfig_TimespanConfig())
    ->setEnableAutoPopulationOfTimespanConfig($autoPopulateTimespan);

$storageConfig = (new StorageConfig())
    ->setCloudStorageOptions($storageOptions)
    ->setTimespanConfig($timespanConfig);

// Construct the jobConfig object
$jobConfig = (new InspectJobConfig())
    ->setInspectConfig($inspectConfig)
    ->setStorageConfig($storageConfig);

// ----- Construct trigger object -----
$jobTriggerObject = (new JobTrigger())
    ->setTriggers([$triggerObject])
    ->setInspectJob($jobConfig)
    ->setStatus(Status::HEALTHY)
    ->setDisplayName($displayName)
    ->setDescription($description);

// Run trigger creation request
$parent = $dlp->projectName($callingProjectId);
$trigger = $dlp->createJobTrigger($parent, [
    'jobTrigger' => $jobTriggerObject,
    'triggerId' => $triggerId
]);

// Print results
printf('Successfully created trigger %s' . PHP_EOL, $trigger->getName());

C#

public static object CreateJobTrigger(
    string projectId,
    string bucketName,
    string minLikelihood,
    int maxFindings,
    bool autoPopulateTimespan,
    int scanPeriod,
    IEnumerable<InfoType> infoTypes,
    string triggerId,
    string displayName,
    string description)
{
    DlpServiceClient dlp = DlpServiceClient.Create();

    var jobConfig = new InspectJobConfig
    {
        InspectConfig = new InspectConfig
        {
            MinLikelihood = (Likelihood)Enum.Parse(
                typeof(Likelihood),
                minLikelihood
            ),
            Limits = new FindingLimits
            {
                MaxFindingsPerRequest = maxFindings
            },
            InfoTypes = { infoTypes }
        },
        StorageConfig = new StorageConfig
        {
            CloudStorageOptions = new CloudStorageOptions
            {
                FileSet = new FileSet
                {
                    Url = $"gs://{bucketName}/*"
                }
            },
            TimespanConfig = new TimespanConfig
            {
                EnableAutoPopulationOfTimespanConfig = autoPopulateTimespan
            }
        }
    };

    var jobTrigger = new JobTrigger
    {
        Triggers =
        {
            new Trigger
            {
                Schedule = new Schedule
                {
                    RecurrencePeriodDuration = new Google.Protobuf.WellKnownTypes.Duration
                    {
                        Seconds = scanPeriod * 60 * 60 * 24
                    }
                }
            }
        },
        InspectJob = jobConfig,
        Status = Status.Healthy,
        DisplayName = displayName,
        Description = description
    };

    JobTrigger response = dlp.CreateJobTrigger(
        new CreateJobTriggerRequest
        {
            ParentAsProjectName = new ProjectName(projectId),
            JobTrigger = jobTrigger,
            TriggerId = triggerId
        });

    Console.WriteLine($"Successfully created trigger {response.Name}");
    return 0;
}

List all job triggers

To list all job triggers for the current project:

Console

  1. In the GCP Console, open Cloud DLP.

    Go to Cloud DLP UI Beta

  2. Click the Job triggers tab.

The console displays a list of all job triggers for the current project.

Protocol

The JobTrigger resource has a projects.jobTriggers.list method, with which you can list all job triggers.

To list all job triggers currently defined in your project, send a GET request to the jobTriggers endpoint, as shown here:

URL:

GET https://dlp.googleapis.com/v2/projects/[PROJECT_ID]/jobTriggers?key={YOUR_API_KEY}

The following JSON output lists the job trigger we created in the previous section. Note that the structure of the job trigger mirrors that of the JobTrigger resource.

JSON output:

{
  "jobTriggers":[
    {
      "name":"projects/[PROJECT_ID]/jobTriggers/[JOB_TRIGGER_NAME]",
      "displayName":"JobTrigger1",
      "description":"Starts a DLP scan job of a Datastore kind",
      "inspectJob":{
        "storageConfig":{
          "datastoreOptions":{
            "partitionId":{
              "projectId":"[PROJECT_ID]",
              "namespaceId":"[NAMESPACE_ID]"
            },
            "kind":{
              "name":"Example-Kind"
            }
          }
        },
        "inspectConfig":{
          "infoTypes":[
            {
              "name":"PHONE_NUMBER"
            }
          ],
          "minLikelihood":"LIKELY",
          "limits":{

          },
          "includeQuote":true
        },
        "actions":[
          {
            "saveFindings":{
              "outputConfig":{
                "table":{
                  "projectId":"[PROJECT_ID]",
                  "datasetId":"[BIGQUERY_DATASET_NAME]",
                  "tableId":"[BIGQUERY_TABLE_NAME]"
                }
              }
            }
          }
        ]
      },
      "triggers":[
        {
          "schedule":{
            "recurrencePeriodDuration":"86400s"
          }
        }
      ],
      "createTime":"2018-11-30T01:52:41.171857Z",
      "updateTime":"2018-11-30T01:52:41.171857Z",
      "status":"HEALTHY"
    },

    ...

],
  "nextPageToken":"KkwKCQjivJ2UpPreAgo_Kj1wcm9qZWN0cy92ZWx2ZXR5LXN0dWR5LTE5NjEwMS9qb2JUcmlnZ2Vycy8xNTA5NzEyOTczMDI0MDc1NzY0"
}

Java

/**
 * List all DLP triggers for a given project.
 *
 * @param projectId The project ID to run the API call under.
 */
private static void listTriggers(String projectId) {
  // Instantiates a client
  try (DlpServiceClient dlpServiceClient = DlpServiceClient.create()) {
    ListJobTriggersRequest listJobTriggersRequest =
        ListJobTriggersRequest.newBuilder()
            .setParent(ProjectName.of(projectId).toString())
            .build();
    DlpServiceClient.ListJobTriggersPagedResponse response =
        dlpServiceClient.listJobTriggers(listJobTriggersRequest);
    response
        .getPage()
        .getValues()
        .forEach(
            trigger -> {
              System.out.println("Trigger: " + trigger.getName());
              System.out.println("\tCreated: " + trigger.getCreateTime());
              System.out.println("\tUpdated: " + trigger.getUpdateTime());
              if (trigger.getDisplayName() != null) {
                System.out.println("\tDisplay name: " + trigger.getDisplayName());
              }
              if (trigger.getDescription() != null) {
                System.out.println("\tDescription: " + trigger.getDescription());
              }
              System.out.println("\tStatus: " + trigger.getStatus());
              System.out.println("\tError count: " + trigger.getErrorsCount());
            });
  } catch (Exception e) {
    System.out.println("Error listing triggers :" + e.getMessage());
  }
}

Node.js

  // Imports the Google Cloud Data Loss Prevention library
  const DLP = require('@google-cloud/dlp');

  // Instantiates a client
  const dlp = new DLP.DlpServiceClient();

  // The project ID to run the API call under
  // const callingProjectId = process.env.GCLOUD_PROJECT;

  // Construct trigger listing request
  const request = {
    parent: dlp.projectPath(callingProjectId),
  };

  // Helper function to pretty-print dates
  const formatDate = date => {
    const msSinceEpoch = parseInt(date.seconds, 10) * 1000;
    return new Date(msSinceEpoch).toLocaleString('en-US');
  };

  try {
    // Run trigger listing request
    const [triggers] = await dlp.listJobTriggers(request);
    triggers.forEach(trigger => {
      // Log trigger details
      console.log(`Trigger ${trigger.name}:`);
      console.log(`  Created: ${formatDate(trigger.createTime)}`);
      console.log(`  Updated: ${formatDate(trigger.updateTime)}`);
      if (trigger.displayName) {
        console.log(`  Display Name: ${trigger.displayName}`);
      }
      if (trigger.description) {
        console.log(`  Description: ${trigger.description}`);
      }
      console.log(`  Status: ${trigger.status}`);
      console.log(`  Error count: ${trigger.errors.length}`);
    });
  } catch (err) {
    console.log(`Error in listTriggers: ${err.message || err}`);
  }
}

async function deleteTrigger(triggerId) {
  // Imports the Google Cloud Data Loss Prevention library
  const DLP = require('@google-cloud/dlp');

  // Instantiates a client
  const dlp = new DLP.DlpServiceClient();

  // The name of the trigger to be deleted
  // Parent project ID is automatically extracted from this parameter
  // const triggerId = 'projects/my-project/triggers/my-trigger';

  // Construct trigger deletion request
  const request = {
    name: triggerId,
  };
  try {
    // Run trigger deletion request
    await dlp.deleteJobTrigger(request);
    console.log(`Successfully deleted trigger ${triggerId}.`);
  } catch (err) {
    console.log(`Error in deleteTrigger: ${err.message || err}`);
  }

}

const cli = require(`yargs`) // eslint-disable-line
  .demand(1)
  .command(
    `create <bucketName> <scanPeriod>`,
    `Create a Data Loss Prevention API job trigger.`,
    {
      infoTypes: {
        alias: 't',
        default: ['PHONE_NUMBER', 'EMAIL_ADDRESS', 'CREDIT_CARD_NUMBER'],
        type: 'array',
        global: true,
        coerce: infoTypes =>
          infoTypes.map(type => {
            return {name: type};
          }),
      },
      triggerId: {
        alias: 'n',
        default: '',
        type: 'string',
      },
      displayName: {
        alias: 'd',
        default: '',
        type: 'string',
      },
      description: {
        alias: 's',
        default: '',
        type: 'string',
      },
      autoPopulateTimespan: {
        default: false,
        type: 'boolean',
      },
      minLikelihood: {
        alias: 'm',
        default: 'LIKELIHOOD_UNSPECIFIED',
        type: 'string',
        choices: [
          'LIKELIHOOD_UNSPECIFIED',
          'VERY_UNLIKELY',
          'UNLIKELY',
          'POSSIBLE',
          'LIKELY',
          'VERY_LIKELY',
        ],
        global: true,
      },
      maxFindings: {
        alias: 'f',
        default: 0,
        type: 'number',
        global: true,
      },
    },
    opts =>
      createTrigger(
        opts.callingProjectId,
        opts.triggerId,
        opts.displayName,
        opts.description,
        opts.bucketName,
        opts.autoPopulateTimespan,
        opts.scanPeriod,
        opts.infoTypes,
        opts.minLikelihood,
        opts.maxFindings
      )
  )
  .command(`list`, `List Data Loss Prevention API job triggers.`, {}, opts =>
    listTriggers(opts.callingProjectId)
  )
  .command(
    `delete <triggerId>`,
    `Delete a Data Loss Prevention API job trigger.`,
    {},
    opts => deleteTrigger(opts.triggerId)
  )
  .option('c', {
    type: 'string',
    alias: 'callingProjectId',
    default: process.env.GCLOUD_PROJECT || '',
  })
  .example(`node $0 create my-bucket 1`)
  .example(`node $0 list`)
  .example(`node $0 delete projects/my-project/jobTriggers/my-trigger`)
  .wrap(120)
  .recommendCommands()
  .epilogue(`For more information, see https://cloud.google.com/dlp/docs.`);

if (module === require.main) {
  cli.help().strict().argv; // eslint-disable-line
}

Python

def list_triggers(project):
    """Lists all Data Loss Prevention API triggers.
    Args:
        project: The Google Cloud project id to use as a parent resource.
    Returns:
        None; the response from the API is printed to the terminal.
    """

    # Import the client library
    import google.cloud.dlp

    # Instantiate a client.
    dlp = google.cloud.dlp.DlpServiceClient()

    # Convert the project id into a full resource id.
    parent = dlp.project_path(project)

    # Call the API.
    response = dlp.list_job_triggers(parent)

    # Define a helper function to convert the API's "seconds since the epoch"
    # time format into a human-readable string.
    def human_readable_time(timestamp):
        return str(time.localtime(timestamp.seconds))

    for trigger in response:
        print('Trigger {}:'.format(trigger.name))
        print('  Created: {}'.format(human_readable_time(trigger.create_time)))
        print('  Updated: {}'.format(human_readable_time(trigger.update_time)))
        if trigger.display_name:
            print('  Display Name: {}'.format(trigger.display_name))
        if trigger.description:
            print('  Description: {}'.format(trigger.discription))
        print('  Status: {}'.format(trigger.status))
        print('  Error count: {}'.format(len(trigger.errors)))

Go


// listTriggers lists the triggers for the given project.
func listTriggers(w io.Writer, client *dlp.Client, project string) {
	// Create a configured request.
	req := &dlppb.ListJobTriggersRequest{
		Parent: "projects/" + project,
	}
	// Send the request and iterate over the results.
	it := client.ListJobTriggers(context.Background(), req)
	for {
		t, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			log.Fatalf("error getting jobs: %v", err)
		}
		c := t.GetCreateTime()
		u := t.GetUpdateTime()
		fmt.Fprintf(w, "Trigger %v\n", t.GetName())
		fmt.Fprintf(w, "  Created: %v\n", time.Unix(c.GetSeconds(), int64(c.GetNanos())).Format(time.RFC1123))
		fmt.Fprintf(w, "  Updated: %v\n", time.Unix(u.GetSeconds(), int64(u.GetNanos())).Format(time.RFC1123))
		fmt.Fprintf(w, "  Display Name: %q\n", t.GetDisplayName())
		fmt.Fprintf(w, "  Description: %q\n", t.GetDescription())
		fmt.Fprintf(w, "  Status: %v\n", t.GetStatus())
		fmt.Fprintf(w, "  Error Count: %v\n", len(t.GetErrors()))
	}
}

PHP

/**
 * List Data Loss Prevention API job triggers.
 */
use Google\Cloud\Dlp\V2\DlpServiceClient;

/** Uncomment and populate these variables in your code */
// $callingProjectId = 'The project ID to run the API call under';

// Instantiate a client.
$dlp = new DlpServiceClient();

$parent = $dlp->projectName($callingProjectId);

// Run request
$response = $dlp->listJobTriggers($parent);

// Print results
$triggers = $response->iterateAllElements();
foreach ($triggers as $trigger) {
    printf('Trigger %s' . PHP_EOL, $trigger->getName());
    printf('  Created: %s' . PHP_EOL, $trigger->getCreateTime()->getSeconds());
    printf('  Updated: %s' . PHP_EOL, $trigger->getUpdateTime()->getSeconds());
    printf('  Display Name: %s' . PHP_EOL, $trigger->getDisplayName());
    printf('  Description: %s' . PHP_EOL, $trigger->getDescription());
    printf('  Status: %s' . PHP_EOL, $trigger->getStatus());
    printf('  Error count: %s' . PHP_EOL, count($trigger->getErrors()));
    $timespanConfig = $trigger->getInspectJob()->getStorageConfig()->getTimespanConfig();
    printf('  Auto-populates timespan config: %s' . PHP_EOL,
        ($timespanConfig && $timespanConfig->getEnableAutoPopulationOfTimespanConfig() ? 'yes' : 'no'));
}

C#

public static object ListJobTriggers(string projectId)
{
    DlpServiceClient dlp = DlpServiceClient.Create();

    var response = dlp.ListJobTriggers(
        new ListJobTriggersRequest
        {
            ParentAsProjectName = new ProjectName(projectId)
        });

    foreach (var trigger in response)
    {
        Console.WriteLine($"Name: {trigger.Name}");
        Console.WriteLine($"  Created: {trigger.CreateTime.ToString()}");
        Console.WriteLine($"  Updated: {trigger.UpdateTime.ToString()}");
        Console.WriteLine($"  Display Name: {trigger.DisplayName}");
        Console.WriteLine($"  Description: {trigger.Description}");
        Console.WriteLine($"  Status: {trigger.Status}");
        Console.WriteLine($"  Error count: {trigger.Errors.Count}");
    }

    return 0;
}

Delete a job trigger

To delete an existing job trigger:

Console

  1. In the GCP Console, open Cloud DLP.

    Go to Cloud DLP UI Beta

  2. Click the Job triggers tab. The console displays a list of all job triggers for the current project.

  3. In the Actions column for the job trigger you want to delete, click the three vertical dots, and then click Delete.

    Screenshot of DLP UI job triggers listing with Actions menu open.

Alternatively, from the list of job triggers, click the name of the job trigger you want to delete. On the job trigger's detail page, click Delete.

Protocol

To delete a job trigger from the current project, send a DELETE request to the jobTriggers endpoint, as shown here. Replace the [JOB_TRIGGER_NAME] field with the name that is given in the "name" field of the original JSON response to the creation request.

URL:

DELETE https://dlp.googleapis.com/v2/projects/[PROJECT_ID]/jobTriggers/[JOB_TRIGGER_NAME]?key={YOUR_API_KEY}

If the request was successful, the Cloud DLP API will return a success response. To verify the job trigger was successfully deleted, list all job triggers.

Java

/**
 * Delete a DLP trigger in a project.
 *
 * @param projectId The project ID to run the API call under.
 * @param triggerId Trigger ID
 */
private static void deleteTrigger(String projectId, String triggerId) {

  ProjectJobTriggerName triggerName = ProjectJobTriggerName.of(projectId, triggerId);
  try (DlpServiceClient dlpServiceClient = DlpServiceClient.create()) {
    DeleteJobTriggerRequest deleteJobTriggerRequest =
        DeleteJobTriggerRequest.newBuilder().setName(triggerName.toString()).build();
    dlpServiceClient.deleteJobTrigger(deleteJobTriggerRequest);

    System.out.println("Trigger deleted: " + triggerName.toString());
  } catch (Exception e) {
    System.out.println("Error deleting trigger :" + e.getMessage());
  }
}

Node.js

// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');

// Instantiates a client
const dlp = new DLP.DlpServiceClient();

// The name of the trigger to be deleted
// Parent project ID is automatically extracted from this parameter
// const triggerId = 'projects/my-project/triggers/my-trigger';

// Construct trigger deletion request
const request = {
  name: triggerId,
};
try {
  // Run trigger deletion request
  await dlp.deleteJobTrigger(request);
  console.log(`Successfully deleted trigger ${triggerId}.`);
} catch (err) {
  console.log(`Error in deleteTrigger: ${err.message || err}`);
}

Python

def delete_trigger(project, trigger_id):
    """Deletes a Data Loss Prevention API trigger.
    Args:
        project: The id of the Google Cloud project which owns the trigger.
        trigger_id: The id of the trigger to delete.
    Returns:
        None; the response from the API is printed to the terminal.
    """

    # Import the client library
    import google.cloud.dlp

    # Instantiate a client.
    dlp = google.cloud.dlp.DlpServiceClient()

    # Convert the project id into a full resource id.
    parent = dlp.project_path(project)

    # Combine the trigger id with the parent id.
    trigger_resource = '{}/jobTriggers/{}'.format(parent, trigger_id)

    # Call the API.
    dlp.delete_job_trigger(trigger_resource)

    print('Trigger {} successfully deleted.'.format(trigger_resource))



if __name__ == '__main__':
    default_project = os.environ.get('GCLOUD_PROJECT')

    parser = argparse.ArgumentParser(description=__doc__)
    subparsers = parser.add_subparsers(
        dest='action', help='Select which action to perform.')
    subparsers.required = True

    parser_create = subparsers.add_parser('create', help='Create a trigger.')
    parser_create.add_argument(
        'bucket', help='The name of the GCS bucket containing the file.')
    parser_create.add_argument(
        'scan_period_days', type=int,
        help='How often to repeat the scan, in days. The minimum is 1 day.')
    parser_create.add_argument(
        '--trigger_id',
        help='The id of the trigger. If omitted, an id will be randomly '
             'generated')
    parser_create.add_argument(
        '--display_name',
        help='The optional display name of the trigger.')
    parser_create.add_argument(
        '--description',
        help='The optional description of the trigger.')
    parser_create.add_argument(
        '--project',
        help='The Google Cloud project id to use as a parent resource.',
        default=default_project)
    parser_create.add_argument(
        '--info_types', nargs='+',
        help='Strings representing info types to look for. A full list of '
             'info categories and types is available from the API. Examples '
             'include "FIRST_NAME", "LAST_NAME", "EMAIL_ADDRESS". '
             'If unspecified, the three above examples will be used.',
        default=['FIRST_NAME', 'LAST_NAME', 'EMAIL_ADDRESS'])
    parser_create.add_argument(
        '--min_likelihood',
        choices=['LIKELIHOOD_UNSPECIFIED', 'VERY_UNLIKELY', 'UNLIKELY',
                 'POSSIBLE', 'LIKELY', 'VERY_LIKELY'],
        help='A string representing the minimum likelihood threshold that '
             'constitutes a match.')
    parser_create.add_argument(
        '--max_findings', type=int,
        help='The maximum number of findings to report; 0 = no maximum.')
    parser_create.add_argument(
        '--auto_populate_timespan', type=bool,
        help='Limit scan to new content only.')

    parser_list = subparsers.add_parser('list', help='List all triggers.')
    parser_list.add_argument(
        '--project',
        help='The Google Cloud project id to use as a parent resource.',
        default=default_project)

    parser_delete = subparsers.add_parser('delete', help='Delete a trigger.')
    parser_delete.add_argument(
        'trigger_id',
        help='The id of the trigger to delete.')
    parser_delete.add_argument(
        '--project',
        help='The Google Cloud project id to use as a parent resource.',
        default=default_project)

    args = parser.parse_args()

    if args.action == 'create':
        create_trigger(
            args.project, args.bucket, args.scan_period_days, args.info_types,
            trigger_id=args.trigger_id, display_name=args.display_name,
            description=args.description, min_likelihood=args.min_likelihood,
            max_findings=args.max_findings,
            auto_populate_timespan=args.auto_populate_timespan,
        )
    elif args.action == 'list':
        list_triggers(args.project)
    elif args.action == 'delete':
        delete_trigger(args.project, args.trigger_id)

Go


// deleteTrigger deletes the given trigger.
func deleteTrigger(w io.Writer, client *dlp.Client, triggerID string) {
	req := &dlppb.DeleteJobTriggerRequest{
		Name: triggerID,
	}
	err := client.DeleteJobTrigger(context.Background(), req)
	if err != nil {
		log.Fatalf("error deleting job: %v", err)
	}
	fmt.Fprintf(w, "Successfully deleted trigger %v", triggerID)
}

PHP

/**
 * Delete a Data Loss Prevention API job trigger.
 */
use Google\Cloud\Dlp\V2\DlpServiceClient;

/** Uncomment and populate these variables in your code */
// $callingProjectId = 'The project ID to run the API call under';
// $triggerId = 'The name of the trigger to be deleted.';

// Instantiate a client.
$dlp = new DlpServiceClient();

// Run request
// The Parent project ID is automatically extracted from this parameter
$triggerName = $dlp->projectJobTriggerName($callingProjectId, $triggerId);
$response = $dlp->deleteJobTrigger($triggerName);

// Print the results
printf('Successfully deleted trigger %s' . PHP_EOL, $triggerName);

C#

public static object DeleteJobTrigger(string triggerName)
{
    DlpServiceClient dlp = DlpServiceClient.Create();

    dlp.DeleteJobTrigger(
        new DeleteJobTriggerRequest
        {
            Name = triggerName
        });

    Console.WriteLine($"Successfully deleted trigger {triggerName}.");
    return 0;
}

Update an existing job trigger

In addition to creating, listing, and deleting job triggers, you can also update an existing job trigger. To change the configuration for an existing job trigger:

Console

  1. In the GCP Console, open Cloud DLP.

    Go to Cloud DLP UI Beta

  2. Click the Job triggers tab. The console displays a list of all job triggers for the current project.

  3. In the Actions column for the job trigger you want to delete, click the three vertical dots, and then click View details.

    Screenshot of DLP UI job triggers listing with Actions menu open.

  4. On the job trigger detail page, click Edit.

  5. On the Edit trigger page, you can change the location of the input data; detection details such as templates, infoTypes, or likelihood; any post-scan actions, and the job trigger's schedule. When you're done making changes, click Save.

Protocol

Use the projects.jobTriggers.patch method to send new JobTrigger values to the Cloud DLP API to update those values within a specified job trigger.

For example, consider the following simple job trigger. This JSON represents the job trigger, and was returned after sending a GET request to the current project's job trigger endpoint.

JSON output:

{
  "name":"projects/[PROJECT_ID]/jobTriggers/[JOB_TRIGGER_NAME]",
  "inspectJob":{
    "storageConfig":{
      "cloudStorageOptions":{
        "fileSet":{
          "url":"gs://dlptesting/*"
        },
        "fileTypes":[
          "FILE_TYPE_UNSPECIFIED"
        ],
        "filesLimitPercent":100
      },
      "timespanConfig":{
        "enableAutoPopulationOfTimespanConfig":true
      }
    },
    "inspectConfig":{
      "infoTypes":[
        {
          "name":"US_SOCIAL_SECURITY_NUMBER"
        }
      ],
      "minLikelihood":"POSSIBLE",
      "limits":{

      }
    },
    "actions":[
      {
        "jobNotificationEmails":{

        }
      }
    ]
  },
  "triggers":[
    {
      "schedule":{
        "recurrencePeriodDuration":"86400s"
      }
    }
  ],
  "createTime":"2019-03-06T21:19:45.774841Z",
  "updateTime":"2019-03-06T21:19:45.774841Z",
  "status":"HEALTHY"
}

The following JSON, when sent with a PATCH request to the specified endpoint, updates the given job trigger with a new infoType to scan for, as well as a new minimum likelihood. Note that you must also specify the updateMask attribute, and that its value is in FieldMask format.

JSON input:

PATCH https://dlp.googleapis.com/v2/projects/[PROJECT_ID]/jobTriggers/[JOB_TRIGGER_NAME]?key={YOUR_API_KEY}

{
  "jobTrigger":{
    "inspectJob":{
      "inspectConfig":{
        "infoTypes":[
          {
            "name":"US_INDIVIDUAL_TAXPAYER_IDENTIFICATION_NUMBER"
          }
        ],
        "minLikelihood":"LIKELY"
      }
    }
  },
  "updateMask":"inspectJob(inspectConfig(infoTypes,minLikelihood))"
}

After you send this JSON to the specified URL, it returns the following, which represents the updated job trigger. Note that the original infoType and likelihood values have been replaced by the new values.

JSON output:

{
  "name":"projects/[PROJECT_ID]/jobTriggers/[JOB_TRIGGER_NAME]",
  "inspectJob":{
    "storageConfig":{
      "cloudStorageOptions":{
        "fileSet":{
          "url":"gs://dlptesting/*"
        },
        "fileTypes":[
          "FILE_TYPE_UNSPECIFIED"
        ],
        "filesLimitPercent":100
      },
      "timespanConfig":{
        "enableAutoPopulationOfTimespanConfig":true
      }
    },
    "inspectConfig":{
      "infoTypes":[
        {
          "name":"US_INDIVIDUAL_TAXPAYER_IDENTIFICATION_NUMBER"
        }
      ],
      "minLikelihood":"LIKELY",
      "limits":{

      }
    },
    "actions":[
      {
        "jobNotificationEmails":{

        }
      }
    ]
  },
  "triggers":[
    {
      "schedule":{
        "recurrencePeriodDuration":"86400s"
      }
    }
  ],
  "createTime":"2019-03-06T21:19:45.774841Z",
  "updateTime":"2019-03-06T21:27:01.650183Z",
  "lastRunTime":"1970-01-01T00:00:00Z",
  "status":"HEALTHY"
}

Java

/**
 * Delete a DLP trigger in a project.
 *
 * @param projectId The project ID to run the API call under.
 * @param triggerId Trigger ID
 */
private static void deleteTrigger(String projectId, String triggerId) {

  ProjectJobTriggerName triggerName = ProjectJobTriggerName.of(projectId, triggerId);
  try (DlpServiceClient dlpServiceClient = DlpServiceClient.create()) {
    DeleteJobTriggerRequest deleteJobTriggerRequest =
        DeleteJobTriggerRequest.newBuilder().setName(triggerName.toString()).build();
    dlpServiceClient.deleteJobTrigger(deleteJobTriggerRequest);

    System.out.println("Trigger deleted: " + triggerName.toString());
  } catch (Exception e) {
    System.out.println("Error deleting trigger :" + e.getMessage());
  }
}

Node.js

// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');

// Instantiates a client
const dlp = new DLP.DlpServiceClient();

// The name of the trigger to be deleted
// Parent project ID is automatically extracted from this parameter
// const triggerId = 'projects/my-project/triggers/my-trigger';

// Construct trigger deletion request
const request = {
  name: triggerId,
};
try {
  // Run trigger deletion request
  await dlp.deleteJobTrigger(request);
  console.log(`Successfully deleted trigger ${triggerId}.`);
} catch (err) {
  console.log(`Error in deleteTrigger: ${err.message || err}`);
}

Python

def delete_trigger(project, trigger_id):
    """Deletes a Data Loss Prevention API trigger.
    Args:
        project: The id of the Google Cloud project which owns the trigger.
        trigger_id: The id of the trigger to delete.
    Returns:
        None; the response from the API is printed to the terminal.
    """

    # Import the client library
    import google.cloud.dlp

    # Instantiate a client.
    dlp = google.cloud.dlp.DlpServiceClient()

    # Convert the project id into a full resource id.
    parent = dlp.project_path(project)

    # Combine the trigger id with the parent id.
    trigger_resource = '{}/jobTriggers/{}'.format(parent, trigger_id)

    # Call the API.
    dlp.delete_job_trigger(trigger_resource)

    print('Trigger {} successfully deleted.'.format(trigger_resource))



if __name__ == '__main__':
    default_project = os.environ.get('GCLOUD_PROJECT')

    parser = argparse.ArgumentParser(description=__doc__)
    subparsers = parser.add_subparsers(
        dest='action', help='Select which action to perform.')
    subparsers.required = True

    parser_create = subparsers.add_parser('create', help='Create a trigger.')
    parser_create.add_argument(
        'bucket', help='The name of the GCS bucket containing the file.')
    parser_create.add_argument(
        'scan_period_days', type=int,
        help='How often to repeat the scan, in days. The minimum is 1 day.')
    parser_create.add_argument(
        '--trigger_id',
        help='The id of the trigger. If omitted, an id will be randomly '
             'generated')
    parser_create.add_argument(
        '--display_name',
        help='The optional display name of the trigger.')
    parser_create.add_argument(
        '--description',
        help='The optional description of the trigger.')
    parser_create.add_argument(
        '--project',
        help='The Google Cloud project id to use as a parent resource.',
        default=default_project)
    parser_create.add_argument(
        '--info_types', nargs='+',
        help='Strings representing info types to look for. A full list of '
             'info categories and types is available from the API. Examples '
             'include "FIRST_NAME", "LAST_NAME", "EMAIL_ADDRESS". '
             'If unspecified, the three above examples will be used.',
        default=['FIRST_NAME', 'LAST_NAME', 'EMAIL_ADDRESS'])
    parser_create.add_argument(
        '--min_likelihood',
        choices=['LIKELIHOOD_UNSPECIFIED', 'VERY_UNLIKELY', 'UNLIKELY',
                 'POSSIBLE', 'LIKELY', 'VERY_LIKELY'],
        help='A string representing the minimum likelihood threshold that '
             'constitutes a match.')
    parser_create.add_argument(
        '--max_findings', type=int,
        help='The maximum number of findings to report; 0 = no maximum.')
    parser_create.add_argument(
        '--auto_populate_timespan', type=bool,
        help='Limit scan to new content only.')

    parser_list = subparsers.add_parser('list', help='List all triggers.')
    parser_list.add_argument(
        '--project',
        help='The Google Cloud project id to use as a parent resource.',
        default=default_project)

    parser_delete = subparsers.add_parser('delete', help='Delete a trigger.')
    parser_delete.add_argument(
        'trigger_id',
        help='The id of the trigger to delete.')
    parser_delete.add_argument(
        '--project',
        help='The Google Cloud project id to use as a parent resource.',
        default=default_project)

    args = parser.parse_args()

    if args.action == 'create':
        create_trigger(
            args.project, args.bucket, args.scan_period_days, args.info_types,
            trigger_id=args.trigger_id, display_name=args.display_name,
            description=args.description, min_likelihood=args.min_likelihood,
            max_findings=args.max_findings,
            auto_populate_timespan=args.auto_populate_timespan,
        )
    elif args.action == 'list':
        list_triggers(args.project)
    elif args.action == 'delete':
        delete_trigger(args.project, args.trigger_id)

Go


// deleteTrigger deletes the given trigger.
func deleteTrigger(w io.Writer, client *dlp.Client, triggerID string) {
	req := &dlppb.DeleteJobTriggerRequest{
		Name: triggerID,
	}
	err := client.DeleteJobTrigger(context.Background(), req)
	if err != nil {
		log.Fatalf("error deleting job: %v", err)
	}
	fmt.Fprintf(w, "Successfully deleted trigger %v", triggerID)
}

PHP

/**
 * Delete a Data Loss Prevention API job trigger.
 */
use Google\Cloud\Dlp\V2\DlpServiceClient;

/** Uncomment and populate these variables in your code */
// $callingProjectId = 'The project ID to run the API call under';
// $triggerId = 'The name of the trigger to be deleted.';

// Instantiate a client.
$dlp = new DlpServiceClient();

// Run request
// The Parent project ID is automatically extracted from this parameter
$triggerName = $dlp->projectJobTriggerName($callingProjectId, $triggerId);
$response = $dlp->deleteJobTrigger($triggerName);

// Print the results
printf('Successfully deleted trigger %s' . PHP_EOL, $triggerName);

C#

public static object DeleteJobTrigger(string triggerName)
{
    DlpServiceClient dlp = DlpServiceClient.Create();

    dlp.DeleteJobTrigger(
        new DeleteJobTriggerRequest
        {
            Name = triggerName
        });

    Console.WriteLine($"Successfully deleted trigger {triggerName}.");
    return 0;
}

Using Job triggers

This section describes how to use job triggers to only scan new content, and how to trigger jobs every time a file is uploaded to Cloud Storage using Cloud Functions.

Limit scans to only new content

You can also set an option to automatically set the timespan date for files stored in either Cloud Storage or BigQuery. Once you've set the TimespanConfig object to auto-populate, Cloud DLP will only scan data that has been added or modified since the last trigger ran:

...
  timespan_config {
        enable_auto_population_of_timespan_config: true
      }
...

Trigger jobs at file upload

In addition to the support for job triggers that is built into Cloud DLP, the GCP also has a variety of other components that can be used to integrate or trigger DLP jobs. For example, you can use Cloud Functions to trigger a DLP scan every time a file is uploaded to Cloud Storage.

For step-by-step instructions about how to do this, see Automating the classification of data uploaded to cloud storage.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Data Loss Prevention