使用 DLP API 檢查機密文字

瞭解如何使用機密資料保護服務的 Cloud Data Loss Prevention API 和 JSON,掃描字串範例中是否含有機密資訊。

如要直接在 Google Cloud 控制台按照逐步指南操作,請按一下「Guide me」(逐步引導)

逐步引導

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. 如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI

  4. 如要初始化 gcloud CLI,請執行下列指令: 

    gcloud init

  5. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the DLP API:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable dlp.googleapis.com

  8. Grant roles to your user account. Run the following command once for each of the following IAM roles: roles/dlp.user 

    gcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE

    Replace the following:

    • PROJECT_ID: Your project ID.
    • USER_IDENTIFIER: The identifier for your user account. For example, myemail@example.com.
    • ROLE: The IAM role that you grant to your user account.

  9. Install the Google Cloud CLI.

  10. 如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI

  11. 如要初始化 gcloud CLI,請執行下列指令: 

    gcloud init

  12. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  13. Verify that billing is enabled for your Google Cloud project.

  14. Enable the DLP API:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable dlp.googleapis.com

  15. Grant roles to your user account. Run the following command once for each of the following IAM roles: roles/dlp.user 

    gcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE

    Replace the following:

    • PROJECT_ID: Your project ID.
    • USER_IDENTIFIER: The identifier for your user account. For example, myemail@example.com.
    • ROLE: The IAM role that you grant to your user account.
    16.

    檢查字串是否含有機密資訊

    本節說明如何設定 DLP API,使用 projects.content.inspect REST 方法掃描文字範例。

    本節要求您將範例要求儲存為 JSON 檔案。如果您使用 Cloud Shell,則可透過 Cloud Shell 編輯器建立檔案。如要啟動編輯器,請按一下 Cloud Shell 視窗工具列上的「Open Editor」(開啟編輯器)

    使用任何要求資料之前,請先替換以下項目:

    • PROJECT_ID:您的 Google Cloud 專案 ID。專案 ID 為英數字串,例如 my-project

    HTTP 方法和網址:

    POST https://dlp.googleapis.com/v2/projects/PROJECT_ID/content:inspect

    JSON 要求主體:

    {
  "item": {
    "value": "My phone number is (800) 555-0123."
  },
  "inspectConfig": {
    "infoTypes": [
      {
        "name": "PHONE_NUMBER"
      },
      {
        "name": "US_TOLLFREE_PHONE_NUMBER"
      }
    ],
    "minLikelihood": "POSSIBLE",
    "limits": {
      "maxFindingsPerItem": 0
    },
    "includeQuote": true
  }
}

    如要傳送要求,請展開以下其中一個選項:

    您應該會收到如下的 JSON 回應:

    {
  "result": {
    "findings": [
      {
        "quote": "(800) 555-0123",
        "infoType": {
          "name": "US_TOLLFREE_PHONE_NUMBER"
        },
        "likelihood": "LIKELY",
        "location": {
          "byteRange": {
            "start": "19",
            "end": "33"
          },
          "codepointRange": {
            "start": "19",
            "end": "33"
          }
        },
        "createTime": "2022-09-23T01:53:05.303Z",
        "findingId": "2022-09-23T01:53:05.306348Z5328915744504121862"
      }
    ]
  }
}

    清除所用資源

    如要避免系統向您的 Google Cloud 帳戶收取本頁面所用資源的費用,請刪除含有這些資源的 Google Cloud 專案。

    刪除專案

    如果您為本快速入門導覽課程建立了新專案,如要避免產生額外費用,最簡單的方法就是刪除該專案。

      Delete a Google Cloud project:

      gcloud projects delete PROJECT_ID

    撤銷憑證

    Optional: Revoke credentials from the gcloud CLI. 

    gcloud auth revoke

    後續步驟

    • 如要開始檢查文字和圖片中的機密資料,請參閱使用指南

    • 如要進一步瞭解檢查、遮蓋、infoType 和可能性,請參閱「概念」一文。

    • 進一步瞭解 DLP API