Common permissions
Some methods do not have Cloud DLP-specific permissions. Instead, they use common ones, as the methods can cause billable events, but do not access any protected cloud resources.
All actions that trigger billable events such as the
projects.content
methods require the serviceusage.services.use permission for the project
that's specified in parent. The roles/editor, roles/owner, and
roles/dlp.user roles contain the required permission or you can define your
own custom roles containing this permission.
This permission ensures you are authorized to bill the project you specify.
Service account
To access both Google Cloud resources and execute calls to
Cloud DLP by means of a
JobTrigger,
Cloud DLP uses the credentials of the
Google APIs service account to authenticate to other APIs. The Google APIs
service account is designed specifically to run internal Google processes on
your behalf. The service account is identifiable using the email:
service-[PROJECT_NUMBER]@dlp-api.iam.gserviceaccount.com
The Google APIs service account is created the first time it is needed. You may
create it in advance by making a call to
InspectContent.
curl --request POST \
"https://dlp.googleapis.com/v2/projects/[PROJECT_ID]/locations/us-central1/content:inspect" \\
--header "X-Goog-User-Project: [PROJECT_ID]" \\
--header "Authorization: Bearer $(gcloud auth print-access-token)" \\
--header 'Accept: application/json' \\
--header 'Content-Type: application/json' \\
--data '{"item":{"value":"google@google.com"}}' \\
--compressed
The Google APIs service account is automatically granted common permissions on the project needed for inspecting resources and is listed in the IAM section of the Google Cloud console. The service account exists indefinitely with the project and is only deleted when the project is deleted. Since Cloud DLP relies on this service account, it is not recommended that you remove it.
Job permissions
| Permission name | Description |
|---|---|
dlp.jobs.create |
Create new jobs. |
dlp.jobs.cancel |
Cancel jobs. |
dlp.jobs.delete |
Delete jobs. |
dlp.jobs.get |
Read job objects. |
dlp.jobs.list |
List jobs. |
dlp.jobs.hybridInspect |
Make a hybrid inspect call on a hybrid job. |
Job trigger permissions
| Permission name | Description |
|---|---|
dlp.jobTriggers.create |
Create new job triggers. |
dlp.jobTriggers.delete |
Delete job triggers. |
dlp.jobTriggers.get |
Read job trigger objects. |
dlp.jobTriggers.list |
List job triggers. |
dlp.jobTriggers.update |
Update job triggers. |
dlp.jobTriggers.hybridInspect |
Make a hybrid inspect call on a hybrid trigger. |
Inspection template permissions
| Permission name | Description |
|---|---|
dlp.inspectTemplates.create |
Create new inspection templates. |
dlp.inspectTemplates.delete |
Delete inspection templates. |
dlp.inspectTemplates.get |
Read inspection template objects. |
dlp.inspectTemplates.list |
List inspection templates. |
dlp.inspectTemplates.update |
Update inspection templates. |
De-identification template permissions
| Permission name | Description |
|---|---|
dlp.deidentifyTemplates.create |
Create new de-identification templates. |
dlp.deidentifyTemplates.delete |
Delete de-identification templates. |
dlp.deidentifyTemplates.get |
Read de-identification template objects. |
dlp.deidentifyTemplates.list |
List de-identification templates. |
dlp.deidentifyTemplates.update |
Update de-identification templates. |
Stored infoType permissions
| Permission name | Description |
|---|---|
dlp.storedInfoTypes.create |
Create new stored infotypes. |
dlp.storedInfoTypes.delete |
Delete stored infotypess. |
dlp.storedInfoTypes.get |
Read stored infotypes. |
dlp.storedInfoTypes.list |
List stored infotypess. |
dlp.storedInfoTypes.update |
Update stored infotypess. |
Misc permissions
| Permission name | Description |
|---|---|
dlp.kms.encrypt |
De-identify content using encryption tokens persisted in Cloud KMS. |