This page describes the service agents that are relevant to Sensitive Data Protection.
Service agents
Service agents are service accounts that are created and managed by Google. Service agents act as an identity for Google Cloud services to access resources within your project on your behalf.
Service agents are created at some point after you enable and use a Google Cloud API. Upon creation, Google often grants a specific, predefined IAM role to the service agent on your project. These roles contain the minimum permissions required for the service agent to function correctly. For a full list of service agents that are granted roles, see Service agents in the IAM documentation.
To access both Google Cloud resources and make calls to Sensitive Data Protection, Sensitive Data Protection uses the credentials of the Cloud Data Loss Prevention Service Agent to authenticate to other APIs. A service agent is a special type of service account that runs internal Google processes on your behalf. The service agent is identifiable by the following email:service-PROJECT_NUMBER@dlp-api.iam.gserviceaccount.com
The Cloud Data Loss Prevention Service Agent is created when it is first
needed. You can create it in advance by calling
InspectContent:
curl --request POST \ "https://dlp.googleapis.com/v2/projects/PROJECT_ID/locations/us-central1/content:inspect" \ --header "X-Goog-User-Project: PROJECT_ID" \ --header "Authorization: Bearer $(gcloud auth print-access-token)" \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --data '{"item":{"value":"google@google.com"}}' \ --compressed
Replace PROJECT_ID with the project
ID.
The Cloud Data Loss Prevention Service Agent is automatically granted common permissions on the project that are needed for inspecting resources and is listed in the Identity and Access Management section of the Google Cloud console. The service agent exists for the life of the project and is deleted only when the project is deleted. Sensitive Data Protection relies on this service agent, so do not remove it.
For more information about the Cloud Data Loss Prevention Service Agent in discovery operations, see Service agent container and service agent.
What's next
- To learn more about service accounts, see Service account overview in the IAM documentation.
- To learn more about service agents, see Service agents in the IAM documentation.
- To learn how to use service accounts securely, see Best practices for using service accounts securely in the IAM documentation.
- Learn more about how the sensitive data discovery service uses service agent containers and service agents to profile your data resources.