Inspect sensitive text by using the DLP API

Learn how to scan a sample string for sensitive information by using the Cloud Data Loss Prevention API (DLP API) and JSON.


For step-by-step guidance on this task directly in Google Cloud console, click Guide me:

Guide me


The following sections take you through the same steps as clicking Guide me.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  4. Enable the DLP API.

    Enable the API

  5. Create a service account:

    1. In the Google Cloud console, go to the Create service account page.

      Go to Create service account
    2. Select your project.
    3. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

      In the Service account description field, enter a description. For example, Service account for quickstart.

    4. Click Create and continue.
    5. To provide access to your project, grant the following role(s) to your service account: Project > Owner.

      In the Select a role list, select a role.

      For additional roles, click Add another role and add each additional role.

    6. Click Continue.
    7. Click Done to finish creating the service account.

      Do not close your browser window. You will use it in the next step.

  6. Create a service account key:

    1. In the Google Cloud console, click the email address for the service account that you created.
    2. Click Keys.
    3. Click Add key, and then click Create new key.
    4. Click Create. A JSON key file is downloaded to your computer.
    5. Click Close.
  7. Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.

  8. Install and initialize the Google Cloud CLI.
  9. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  10. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  11. Enable the DLP API.

    Enable the API

  12. Create a service account:

    1. In the Google Cloud console, go to the Create service account page.

      Go to Create service account
    2. Select your project.
    3. In the Service account name field, enter a name. The Google Cloud console fills in the Service account ID field based on this name.

      In the Service account description field, enter a description. For example, Service account for quickstart.

    4. Click Create and continue.
    5. To provide access to your project, grant the following role(s) to your service account: Project > Owner.

      In the Select a role list, select a role.

      For additional roles, click Add another role and add each additional role.

    6. Click Continue.
    7. Click Done to finish creating the service account.

      Do not close your browser window. You will use it in the next step.

  13. Create a service account key:

    1. In the Google Cloud console, click the email address for the service account that you created.
    2. Click Keys.
    3. Click Add key, and then click Create new key.
    4. Click Create. A JSON key file is downloaded to your computer.
    5. Click Close.
  14. Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.

  15. Install and initialize the Google Cloud CLI.

Set permissions

To inspect content, you must have the serviceusage.services.use IAM permission for your project. To give this permission, grant the DLP User role at the project level:

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. Click Add.

  3. In the Add principals dialog, do the following:

    1. For New principals, enter your user email.

    2. For Select a role, select Cloud DLP, and then select DLP User.

    3. Click Save.

Inspect a string for sensitive information

This section shows you how to configure the DLP API to scan sample text using the projects.content.inspect REST method.

  1. Create a JSON request file with the following text:

    {
      "item":{
        "value":"My phone number is (800) 555-0123."
      },
      "inspectConfig":{
        "infoTypes":[
          {
            "name":"PHONE_NUMBER"
          },
          {
            "name":"US_TOLLFREE_PHONE_NUMBER"
          }
        ],
        "minLikelihood":"POSSIBLE",
        "limits":{
          "maxFindingsPerItem":0
        },
        "includeQuote":true
      }
    }
    
  2. Save the file as inspect-request.json.

  3. Go to the directory where you saved the inspect-request.json file.

  4. To complete the next steps, select one of the following tabs:

    Linux or macOS

    1. Activate the service account:

      gcloud auth activate-service-account SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
          --key-file=$GOOGLE_APPLICATION_CREDENTIALS
      

      Replace the following:

      • SERVICE_ACCOUNT_ID: the ID of your service account

      • PROJECT_ID: the ID of your Google Cloud project

    2. Set the ACCESS_TOKEN environment variable to create an authorization token:

      export ACCESS_TOKEN="$(gcloud auth print-access-token)"
      
    3. Make a content:inspect request:

      curl -s \
      -H "Authorization: Bearer $ACCESS_TOKEN" \
      -H "Content-Type: application/json" \
      https://dlp.googleapis.com/v2/projects/PROJECT_ID/content:inspect \
      -d @inspect-request.json
      

    Windows cmd.exe

    1. Activate the service account:

      gcloud auth activate-service-account SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com ^
          --key-file=%GOOGLE_APPLICATION_CREDENTIALS%
      

      Replace the following:

      • SERVICE_ACCOUNT_ID: the ID of your service account

      • PROJECT_ID: the ID of your Google Cloud project

    2. Set the ACCESS_TOKEN environment variable to create an authorization token:

      for /f "delims=" %a in ("gcloud auth print-access-token") do @set ACCESS_TOKEN=%a
      
    3. Make a content:inspect request:

      curl -s ^
      -H "Authorization: Bearer %ACCESS_TOKEN%" ^
      -H "Content-Type: application/json" ^
      https://dlp.googleapis.com/v2/projects/PROJECT_ID/content:inspect ^
      -d @inspect-request.json
      

    Windows PowerShell

    1. Activate the service account:

      gcloud auth activate-service-account SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com `
          --key-file=$GOOGLE_APPLICATION_CREDENTIALS
      

      Replace the following:

      • SERVICE_ACCOUNT_ID: the ID of your service account

      • PROJECT_ID: the ID of your Google Cloud project

    2. Set the ACCESS_TOKEN environment variable to create an authorization token:

      $env:ACCESS_TOKEN=$(gcloud auth print-access-token)
      
    3. Make a content:inspect request:

      curl -s `
      -H "Authorization: Bearer $ACCESS_TOKEN" `
      -H "Content-Type: application/json" `
      https://dlp.googleapis.com/v2/projects/PROJECT_ID/content:inspect `
      -d @inspect-request.json
      

    The output is similar to the following:

    {
      "result": {
        "findings": [
          {
            "quote": "(800) 555-0123",
            "infoType": {
              "name": "US_TOLLFREE_PHONE_NUMBER"
            },
            "likelihood": "LIKELY",
            "location": {
              "byteRange": {
                "start": "19",
                "end": "33"
              },
              "codepointRange": {
                "start": "19",
                "end": "33"
              }
            },
            "createTime": "2022-03-09T13:49:54.027Z",
            "findingId": "2022-03-09T13:49:54.029640Z1888389906614481185"
          }
        ]
      }
    }
    

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Delete the project

The easiest way to eliminate billing is to delete the project that you created for the tutorial.

To delete the project:

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next

  • To get started with inspecting text and images for sensitive data, see How-to guides.

  • To better understand inspection, redaction, infoTypes, and likelihood, see Concepts.

  • Learn more about the DLP API.