Cloud DLP IAM permissions

IAM Permisions

Common permissions

Some methods do not have Cloud DLP-specific permissions. Instead, they use common ones, as the methods can cause billable events, but do not access any protected cloud resources.

All actions that trigger billable events such as the projects.content methods require the permission for the project that's specified in parent. The roles/editor, roles/owner, and roles/dlp.user roles contain the required permission or you can define your own custom roles containing this permission.

This permission ensures you are authorized to bill the project you specify.

Service account

To access both Google Cloud resources and execute calls to Cloud DLP by means of a JobTrigger, Cloud DLP uses the credentials of the Google APIs service account to authenticate to other APIs. The Google APIs service account is designed specifically to run internal Google processes on your behalf. The service account is identifiable using the email:


The Google APIs service account is created the first time it is needed. You may create it in advance by making a call to InspectContent.

curl --request POST \
  "[PROJECT_ID]/locations/us-central1/content:inspect" \\
  --header "X-Goog-User-Project: [PROJECT_ID]" \\
  --header "Authorization: Bearer $(gcloud auth print-access-token)" \\
  --header 'Accept: application/json' \\
  --header 'Content-Type: application/json' \\
  --data '{"item":{"value":""}}' \\

The Google APIs service account is automatically granted common permissions on the project needed for inspecting resources and is listed in the IAM section of the Google Cloud console. The service account exists indefinitely with the project and is only deleted when the project is deleted. Since Cloud DLP relies on this service account, it is not recommended that you remove it.

Job permissions

Permission name Description Create new jobs. Cancel jobs. Delete jobs. Read job objects. List jobs. Make a hybrid inspect call on a hybrid job.

Job trigger permissions

Permission name Description
dlp.jobTriggers.create Create new job triggers.
dlp.jobTriggers.delete Delete job triggers.
dlp.jobTriggers.get Read job trigger objects.
dlp.jobTriggers.list List job triggers.
dlp.jobTriggers.update Update job triggers.
dlp.jobTriggers.hybridInspect Make a hybrid inspect call on a hybrid trigger.

Inspection template permissions

Permission name Description
dlp.inspectTemplates.create Create new inspection templates.
dlp.inspectTemplates.delete Delete inspection templates.
dlp.inspectTemplates.get Read inspection template objects.
dlp.inspectTemplates.list List inspection templates.
dlp.inspectTemplates.update Update inspection templates.

De-identification template permissions

Permission name Description
dlp.deidentifyTemplates.create Create new de-identification templates.
dlp.deidentifyTemplates.delete Delete de-identification templates.
dlp.deidentifyTemplates.get Read de-identification template objects.
dlp.deidentifyTemplates.list List de-identification templates.
dlp.deidentifyTemplates.update Update de-identification templates.

Stored infoType permissions

Permission name Description
dlp.storedInfoTypes.create Create new stored infotypes.
dlp.storedInfoTypes.delete Delete stored infotypess.
dlp.storedInfoTypes.get Read stored infotypes.
dlp.storedInfoTypes.list List stored infotypess.
dlp.storedInfoTypes.update Update stored infotypess.

Misc permissions

Permission name Description
dlp.kms.encrypt De-identify content using encryption tokens persisted in Cloud KMS.