Google Cloud Data Loss Prevention (DLP) Decrypt Transformation
The Google Cloud Data Loss Prevention (DLP) Decrypt transformation is available in the Hub.
This plugin uses Google’s Data Loss Prevention APIs which charge the user depending on the volume of data analyzed (not transformed). More details on the exact costs can be found here.
Plugin version: 1.4.0
This plugin decrypts sensitive data that was encrypted by DLP using a reversible encryption transform, such as Format Preserving Encryption
. The plugin works by reversing the encryption specified in the config. Therefore, you must provide the same configuration properties that were used to encrypt the data. In other words, the configuration in this plugin and the DLP Redaction plugin must be identical for the decrypt to function correctly.
Permissions
In order for this plugin to function, it requires permissions to access the Data Loss Prevention APIs. These permissions granted through the service account that is provided in the plugin configuration. If the service account path is set to auto-detect
then it will use a service account with the name service-<project-number>@gcp-sa-datafusion.iam.gserviceaccount.com
.
The DLP Administrator
role must be granted to the service account to allow this plugin to access the DLP APIs.
While using Deterministic Encryption
with KMS Wrapped Key
, the Cloud KMS CryptoKey Encrypter/Decrypter
role must be granted to Cloud Data Loss Prevention Service Agent
.
Metrics
This plugin records three metrics:
dlp.requests.count
: Total number of requests sent to Data Loss Prevention API.dlp.requests.success
: Number of requests that were successfully processed by Data Loss Prevention API.dlp.requests.fail
: Number of requests that failed
Custom Template Path
The option to use a custom template path which is located in a different project other than the one specified in Project Id.
Configuration
Property | Macro Enabled? | Version Introduced | Description |
---|---|---|---|
Use custom template | No | Â | Required. Enabling this option will allow you to define a custom DLP inspection Template to use for matching during the transformation. Default is No. |
Template ID | Yes | Â | Optional. ID of the Inspection Template found in DLP. |
Custom Template Path | Yes | 6.7.0/1.3.0 | Optional. Custom template path of the DLP inspection template. |
Resource Location | Yes | 6.7.0/1.3.0 | Optional. Use this property to specify the resource location for the DLP Service. For more information, see https://cloud.google.com/dlp/docs/specifying-location. Default is global. |
Fields to Transform | Yes | Â | Required. This field contains the rules for which fields should be transformed, as well as the configurations for the transforms. |
Service Account Path | Yes | Â | Optional. Path on the local file system of the service account key used for authorization. Can be set to auto-detect when running on a Dataproc cluster. When running on other clusters, the file must be present on every node in the cluster. Default is auto-detect. |
Project Id | Yes | Â | Optional. Google Cloud project ID, which uniquely identified a project. It can be found on the Dashboard in the Google Cloud Platform console. Default is auto-detect. |
Created in 2020 by Google Inc.