This page shows you how to perform basic tasks in the Cloud Data Loss Prevention API using a command-line interface. Specifically, this quickstart covers sending a short string to the DLP API for inspection.
Before you begin
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the DLP API.
-
Set up authentication:
-
In the Cloud Console, go to the Create service account key page.
Go to the Create Service Account Key page - From the Service account list, select New service account.
- In the Service account name field, enter a name.
From the Role list, select Project > Owner.
- Click Create. A JSON file that contains your key downloads to your computer.
-
-
Set the environment variable
GOOGLE_APPLICATION_CREDENTIALS
to the path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.
Permissions
Inspecting content requires the serviceusage.services.use
permission for the
project that's specified in parent
. The roles/editor
, roles/owner
,
and roles.dlp.user
roles contain the required permission or you can define
your own custom role.
To give your user the dlp.user
role at the project level:
Web UI
Open the IAM page in the Google Cloud Console.
If a project hasn't already been selected, click the project selector, then select your project.
On the IAM page:
- To add a new user, click Add.
- To add the
dlp.user
role to an existing user, click Edit member for that user, and then click Add another role in the Edit permissions pane.
In the Add members pane:
- In the New members field, type the email address of the user
you're adding—for example,
test@example.com
. - For Roles, click Select a role and choose Cloud DLP > DLP User.
- In the New members field, type the email address of the user
you're adding—for example,
Click Add.
For more information, see Grant an IAM role.
Command-line
To add a single binding to the project's IAM policy, type the following command:
gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:SERVICE_ID --role roles/dlp.user
Replace the following:
PROJECT_ID
: the project ID.SERVICE_ID
: the service account to be used.
Write the updated policy to the console window:
bindings: - members: - group: EMAIL_ADDRESS role: roles/dlp.user
Replace
EMAIL_ADDRESS
with the email address of the user you're adding.
Set up a Cloud DLP CLI app
Node.js
Clone or download a ZIP file of the Node.js DLP client library, and then expand the downloaded file.
Open a command-line tool and navigate to the
samples
directory within the expanded directory.Install the app dependencies by running
npm install
while in thesamples
directory.If you haven't done so already, create the
GCLOUD_PROJECT
environment variable and set it to the project ID of the Google Cloud project you set up to use with Cloud DLP:
gcloud alpha dlp
Install and initialize the Cloud SDK.
This procedure also requires the gcloud Alpha Commands component. You can install it now or install it later when prompted.
Inspect a string for sensitive information
This section shows you how to use the DLP API to scan sample text.
Node.js
This example uses the inspectString
Node.js script. If you haven't already, open a
command-line tool. Navigate to the samples
folder of the Node.js samples
repository that you downloaded and expanded in the previous section.
Run the following command:
node inspectString.js PROJECT_ID "My email address is joe@example.com."
Replace PROJECT_ID
with your
project ID.
You receive the following output:
Findings: Quote: joe@example.com Info type: EMAIL_ADDRESS Likelihood: LIKELY
gcloud alpha dlp
This example uses the gcloud alpha dlp text inspect
command. If you haven't already, open a command-line tool.
Run the following command:
gcloud alpha dlp text inspect --project="PROJECT_ID" \ --content="My email address is joe@example.com." \ --include-quote --info-types="EMAIL_ADDRESS"
Replace PROJECT_ID
with your
project ID.
If you haven't already installed the gcloud Alpha Commands
component, the system
asks if you want to install it first. To continue, press Y.
You receive the following output:
result: findings: - createTime: '2021-02-26T19:31:28.051Z' findingId: 2021-02-26T19:31:28.054696Z5687834655654299045 infoType: name: EMAIL_ADDRESS likelihood: LIKELY location: byteRange: end: '35' start: '20' codepointRange: end: '35' start: '20' quote: joe@example.com
You've just sent your first request to the DLP API.
What's next?
- Read how-to guides to get started with inspecting text and images, as well as redacting sensitive data from text.
- Read Concepts to better understand inspection, redaction, Infotypes and likelihood.
- Take a look at the Service API Reference and the Node.js client library API Reference.