Cloud DLP IAM permissions

IAM Permissions

Common permissions

Some methods do not have Cloud DLP-specific permissions. Instead, they use common ones, as the methods can cause billable events, but do not access any protected cloud resources.

All actions that trigger billable events such as the projects.content methods require the serviceusage.services.use permission for the project that's specified in parent. The roles/editor, roles/owner, and roles/dlp.user roles contain the required permission or you can define your own custom roles containing this permission.

This permission ensures you are authorized to bill the project you specify.

Service account

To access both Google Cloud resources and execute calls to Cloud DLP by means of a JobTrigger, Cloud DLP uses the credentials of the Cloud Data Loss Prevention Service Agent to authenticate to other APIs. A service agent is a special type of service account that runs internal Google processes on your behalf. The service agent is identifiable using the email:

service-PROJECT_NUMBER@dlp-api.iam.gserviceaccount.com

The Cloud Data Loss Prevention Service Agent is created the first time it is needed. You can create it in advance by making a call to InspectContent:

curl --request POST \
  "https://dlp.googleapis.com/v2/projects/PROJECT_ID/locations/us-central1/content:inspect" \
  --header "X-Goog-User-Project: PROJECT_ID" \
  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --data '{"item":{"value":"google@google.com"}}' \
  --compressed

Replace PROJECT_ID with the project ID.

The Cloud Data Loss Prevention Service Agent is automatically granted common permissions on the project that are needed for inspecting resources and is listed in the IAM section of the Google Cloud Console. The service agent exists indefinitely with the project and is only deleted when the project is deleted. Cloud DLP relies on this service agent, so you should not remove it.

Job permissions

Permission name	Description
`dlp.jobs.create`	Create new jobs.
`dlp.jobs.cancel`	Cancel jobs.
`dlp.jobs.delete`	Delete jobs.
`dlp.jobs.get`	Read job objects.
`dlp.jobs.list`	List jobs.
`dlp.jobs.hybridInspect`	Make a hybrid inspect call on a hybrid job.

Job trigger permissions

Permission name	Description
`dlp.jobTriggers.create`	Create new job triggers.
`dlp.jobTriggers.delete`	Delete job triggers.
`dlp.jobTriggers.get`	Read job trigger objects.
`dlp.jobTriggers.list`	List job triggers.
`dlp.jobTriggers.update`	Update job triggers.
`dlp.jobTriggers.hybridInspect`	Make a hybrid inspect call on a hybrid trigger.

Inspection template permissions

Permission name	Description
`dlp.inspectTemplates.create`	Create new inspection templates.
`dlp.inspectTemplates.delete`	Delete inspection templates.
`dlp.inspectTemplates.get`	Read inspection template objects.
`dlp.inspectTemplates.list`	List inspection templates.
`dlp.inspectTemplates.update`	Update inspection templates.

De-identification template permissions

Permission name	Description
`dlp.deidentifyTemplates.create`	Create new de-identification templates.
`dlp.deidentifyTemplates.delete`	Delete de-identification templates.
`dlp.deidentifyTemplates.get`	Read de-identification template objects.
`dlp.deidentifyTemplates.list`	List de-identification templates.
`dlp.deidentifyTemplates.update`	Update de-identification templates.

Stored infoType permissions

Permission name	Description
`dlp.storedInfoTypes.create`	Create new stored infotypes.
`dlp.storedInfoTypes.delete`	Delete stored infotypes.
`dlp.storedInfoTypes.get`	Read stored infotypes.
`dlp.storedInfoTypes.list`	List stored infotypes.
`dlp.storedInfoTypes.update`	Update stored infotypes.

Misc permissions

Permission name	Description
`dlp.kms.encrypt`	De-identify content using encryption tokens persisted in Cloud KMS.