Quickstart: Using a command-line tool

This page shows you how to perform basic tasks in the Cloud Data Loss Prevention API using a command-line interface. Specifically, this quickstart covers sending a short string to the DLP API for inspection.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Enable the DLP API.
Enable the API

Create a service account:
1. In the Cloud Console, go to the Create service account page.
  Go to Create service account
2. Select a project.
3. In the Service account name field, enter a name. The Cloud Console fills in the Service account ID field based on this name.
  
  In the Service account description field, enter a description. For example, Service account for quickstart.
4. Click Create.
5. Click the Select a role field.
  
  Under Quick access, click Basic, then click Owner.
  
  Note: The Role field affects which resources your service account can access in your project. You can revoke these roles or grant additional roles later. In production environments, do not grant the Owner, Editor, or Viewer roles. For more information, see Granting, changing, and revoking access to resources.
6. Click Continue.
7. Click Done to finish creating the service account.
  
  Do not close your browser window. You will use it in the next step.
Create a service account key:
1. In the Cloud Console, click the email address for the service account that you created.
2. Click Keys.
3. Click Add key, then click Create new key.
4. Click Create. A JSON key file is downloaded to your computer.
5. Click Close.
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.
Example: Linux or macOS
```
export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
```
Replace KEY_PATH with the path of the JSON file that contains your service account key.

For example:
```
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"
```
Example: Windows

For PowerShell:
```
$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
```
Replace KEY_PATH with the path of the JSON file that contains your service account key.

For example:
```
$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"
```
For command prompt:
```
set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH
```
Replace KEY_PATH with the path of the JSON file that contains your service account key.

Permissions

Inspecting content requires the serviceusage.services.use permission for the project that's specified in parent. The roles/editor, roles/owner, and roles.dlp.user roles contain the required permission or you can define your own custom role.

To give your user the dlp.user role at the project level:

Web UI

Open the IAM page in the Google Cloud Console.
Open the IAM page
If a project hasn't already been selected, click the project selector, then select your project.
On the IAM page:
- To add a new user, click Add.
- To add the dlp.user role to an existing user, click Edit member for that user, and then click Add another role in the Edit permissions pane.
In the Add members pane:
- In the New members field, type the email address of the user you're adding—for example, test@example.com.
- For Roles, click Select a role and choose Cloud DLP > DLP User.
Click Add.

For more information, see Grant an IAM role.

Command-line

To add a single binding to the project's IAM policy, type the following command:
```
gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:SERVICE_ID --role roles/dlp.user
```
Replace the following:
- PROJECT_ID: the project ID.
- SERVICE_ID: the service account to be used.
Write the updated policy to the console window:
```
bindings:
- members:
  - group: EMAIL_ADDRESS
    role: roles/dlp.user
```
Replace EMAIL_ADDRESS with the email address of the user you're adding.

Set up a Cloud DLP CLI app

Node.js

Download and install Node.js and NPM.
Clone or download a zip file of the Node.js DLP client library, and then expand the downloaded file.
Open a command-line tool and navigate to the samples directory within the expanded directory.
Install the app dependencies by running npm install while in the samples directory.
If you haven't done so already, create the GCLOUD_PROJECT environment variable and set it to the project ID of the Google Cloud project you set up to use with Cloud DLP:

Linux or macOS

export GCLOUD_PROJECT="[PROJECT_ID]"

Windows

With PowerShell:

$env:GCLOUD_PROJECT="[PROJECT_ID]"

With command prompt:

set GCLOUD_PROJECT=[PROJECT_ID]

gcloud alpha dlp

Install and initialize the Cloud SDK.

This procedure also requires the gcloud Alpha Commands component. You can install it now or install it later when prompted.
Activate the service account:
```
gcloud auth activate-service-account SERVICE_ACCOUNT \\
 --key-file=PATH_TO_SERVICE_ACCOUNT_KEY
```
Replace the following:
- SERVICE_ACCOUNT: the ID of your service account.
- PATH_TO_SERVICE_ACCOUNT_KEY: the path to the JSON file containing your service account's private key. This is the JSON file that you downloaded when you set up authentication in the Before you begin section.

Inspect a string for sensitive information

This section shows you how to use the DLP API to scan sample text.

Node.js

This example uses the inspectString Node.js script. If you haven't already, open a command-line tool. Navigate to the samples folder of the Node.js samples repository that you downloaded and expanded in the previous section.

Run the following command:

node inspectString.js PROJECT_ID "My email address is joe@example.com."

Replace PROJECT_ID with your project ID.

You receive the following output:

Findings:
  Quote: joe@example.com
  Info type: EMAIL_ADDRESS
  Likelihood: LIKELY

gcloud alpha dlp

This example uses the gcloud alpha dlp text inspect command. If you haven't already, open a command-line tool.

Run the following command:

gcloud alpha dlp text inspect --project="PROJECT_ID" \
--content="My email address is joe@example.com." \
--include-quote --info-types="EMAIL_ADDRESS"

Replace PROJECT_ID with your project ID.

If you haven't already installed the gcloud Alpha Commands component, the system asks if you want to install it first. To continue, press Y.

You receive the following output:

result:
findings:
- createTime: '2021-02-26T19:31:28.051Z'
  findingId: 2021-02-26T19:31:28.054696Z5687834655654299045
  infoType:
    name: EMAIL_ADDRESS
  likelihood: LIKELY
  location:
    byteRange:
      end: '35'
      start: '20'
    codepointRange:
      end: '35'
      start: '20'
  quote: joe@example.com

You've just sent your first request to the DLP API.

What's next?

Read how-to guides to get started with inspecting text and images, as well as redacting sensitive data from text.
Read Concepts to better understand inspection, redaction, Infotypes and likelihood.
Take a look at the Service API Reference and the Node.js client library API Reference.