# Copyright 2020 The Data Catalog Tag History Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. title: "Data tokenization Runner" description: "Perform data sampling, identification and tokenization using Dataflow and DLP, also update Entry in Data Catalog" stage: "BETA" includedPermissions: # Generic - resourcemanager.projects.get # DLP permissions - serviceusage.services.use - dlp.kms.encrypt # BigQuery permissions to use as BigQuery source - bigquery.datasets.get - bigquery.datasets.getIamPolicy - bigquery.jobs.create - bigquery.jobs.get - bigquery.jobs.list - bigquery.jobs.listAll - bigquery.jobs.update - bigquery.tables.get - bigquery.tables.getData - bigquery.tables.list - bigquery.tables.export - bigquery.tables.getIamPolicy # Permission to use BigQuery Storage API for reading - bigquery.readsessions.create - bigquery.readsessions.getData - bigquery.readsessions.update # Permissions required for using as BigQuery table destination - bigquery.datasets.create - bigquery.datasets.update - bigquery.tables.setIamPolicy - bigquery.tables.create - bigquery.tables.delete - bigquery.tables.update - bigquery.tables.updateData - bigquery.datasets.create - bigquery.datasets.setIamPolicy # Dataflow permissions - compute.instanceGroupManagers.update - compute.instances.delete - compute.instances.setDiskAutoDelete - dataflow.jobs.get - logging.logEntries.create # Storage permissions - storage.objects.create - storage.objects.get - storage.objects.list - storage.objects.update - storage.objects.delete # KMS permissions - cloudkms.cryptoKeyVersions.useToDecrypt - cloudkms.cryptoKeyVersions.useToEncrypt # Cloud Secret Manager - secretmanager.versions.access # Cloud SQL Permissions - cloudsql.instances.get - cloudsql.instances.connect - cloudsql.instances.login # Data Catalog Permissions - datacatalog.categories.fineGrainedGet - datacatalog.entries.create - datacatalog.entries.delete - datacatalog.entries.get - datacatalog.entries.update - datacatalog.entries.updateTag - datacatalog.entryGroups.get - datacatalog.tagTemplates.get - datacatalog.tagTemplates.getTag - datacatalog.tagTemplates.use