This page applies to Apigee and Apigee hybrid.
View
Apigee Edge documentation.
Overview
The SanitizeUserPrompt policy protects AI applications from harmful content by sanitizing user prompts sent to generative AI models. The policy uses Model Armor to evaluate user prompts for harmful content, enabling native protection for AI workloads using Apigee. Model Armor is a Google Cloud service offering AI security and safety measures to mitigate the risks associated with large language models (LLMs).
This policy is used in conjunction with the SanitizeModelResponse policy.
This policy is an Extensible policy and use of this policy might have cost or utilization implications, depending on your Apigee license. For information on policy types and usage implications, see Policy types.
Before you begin
Before you use the SanitizeUserPrompt policy, you must complete the following tasks:
- Create a Model Armor template. This step must be completed before you create a SanitizeUserPrompt policy.
- Set the API endpoint for the Model Armor service.
- Create a SanitizeModelResponse policy. This task must be completed before you deploy the SanitizeUserPrompt policy.
Required roles
To get the permissions that you need to apply and use the SanitizeUserPrompt policy, ask your administrator to grant you the following IAM roles on the service account you use to deploy Apigee proxies:
-
Model Armor User (
roles/modelarmor.user) -
Model Armor Viewer (
roles/modelarmor.viewer)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Enable APIs
Enable the Model Armor API.
<SanitizeUserPrompt> element
Defines a SanitizeUserPrompt policy.
| Default Value | See Default Policy tab, below |
| Required? | Required |
| Type | Complex object |
| Parent Element | N/A |
| Child Elements |
<DisplayName><IgnoreUnresolvedVariables><TemplateName><UserPromptSource> |
The <SanitizeUserPrompt> element uses the following syntax:
Syntax
<SanitizeUserPrompt async="false" continueOnError="false" enabled="true" name="sanitize-text">
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<DisplayName>Sanitize-Text-sample</DisplayName>
<ModelArmor>
<TemplateName>projects/{project}/locations/{location}/templates/{template-name}</TemplateName>
</ModelArmor>
<UserPromptSource>{jsonPath('$.contents[-1].parts[-1].text',request.content,true)}</UserPromptSource>
</SanitizeUserPrompt>Default Policy
The following example shows the default settings when you add a SanitizeUserPrompt policy to your request flow in the Apigee UI:
<SanitizeUserPrompt async="false" continueOnError="false" enabled="true" name="sanitize-text">
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<DisplayName>Sanitize-Text-sample</DisplayName>
<ModelArmor>
<TemplateName>projects/{project}/locations/{location}/templates/{template-name}</TemplateName>
</ModelArmor>
<UserPromptSource>{jsonPath('$.contents[-1].parts[-1].text',request.content,true)}</UserPromptSource>
</SanitizeUserPrompt>When you insert a new SanitizeUserPrompt policy using the Apigee UI, the template contains stubs for all possible operations. See below for information on required elements.
This element has the following attributes that are common to all policies:
| Attribute | Default | Required? | Description |
|---|---|---|---|
name |
N/A | Required |
The internal name of the policy. The value of the Optionally, use the |
continueOnError |
false | Optional | Set to false to return an error when a policy fails. This is expected behavior for
most policies. Set to true to have flow execution continue even after a policy
fails. See also:
|
enabled |
true | Optional | Set to true to enforce the policy. Set to false to turn off the
policy. The policy will not be enforced even if it remains attached to a flow. |
async |
false | Deprecated | This attribute is deprecated. |
The following table provides a high level description of the child elements of <SanitizeUserPrompt>:
| Child Element | Required? | Description |
|---|---|---|
<DisplayName> |
Optional | The name of the policy. |
<IgnoreUnresolvedVariables> |
Optional | Specifies whether processing stops if the variable used for the template name or Model Armor payload is unresolved. |
<ModelArmor> |
Required | Contains the required information for specifying the Model Armor template. |
<UserPromptSource> |
Optional | The location of the payload for the user prompt text to be extracted. Only string text values are supported.
This field supports Apigee message template syntax, including the use of variables or JSON Path functions. For example: {jsonpath('$.input.prompt.text',request.content,false)} |
Example
This section provides an example using the <SanitizeUserPrompt>.
This example uses all default values for model detection and prompt extraction:
<SanitizeUserPrompt async="false" continueOnError="false" enabled="true" name="sanitize-text">
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<DisplayName>Sanitize-Text-sample</DisplayName>
<ModelArmor>
<TemplateName>projects/{project}/locations/{location}/templates/{template-name}</TemplateName>
</ModelArmor>
</SanitizeUserPrompt>Child element reference
This section describes the child elements of <SanitizeUserPrompt>.
<DisplayName>
Use in addition to the name attribute to label the policy in the
management UI proxy editor with a different, more natural-sounding name.
The <DisplayName> element is common to all policies.
| Default Value | N/A |
| Required? | Optional. If you omit <DisplayName>, the value of the
policy's name attribute is used. |
| Type | String |
| Parent Element | <PolicyElement> |
| Child Elements | None |
The <DisplayName> element uses the following syntax:
Syntax
<PolicyElement> <DisplayName>POLICY_DISPLAY_NAME</DisplayName> ... </PolicyElement>
Example
<PolicyElement> <DisplayName>My Validation Policy</DisplayName> </PolicyElement>
The <DisplayName> element has no attributes or child elements.
<IgnoreUnresolvedVariables>
Determines whether processing stops when a variable is unresolved. Set to
true to ignore unresolved variables and continue processing.
| Default Value | False |
| Required? | Optional |
| Type | Boolean |
| Parent Element |
<SanitizeUserPrompt>
|
| Child Elements | None |
<ModelArmor>
Contains the required information for specifying the Model Armor template.
| Default Value | N/A |
| Required? | Required |
| Type | String |
| Parent Element | |
| Child Elements |
<TemplateName>
|
The <ModelArmor> element uses the following syntax:
Syntax
<ModelArmor>
<TemplateName>projects/{project}/locations/{location}/templates/{template-name}</TemplateName>
</ModelArmor>Example
This example uses Apigee flow variables to populate the required information.
<ModelArmor> <TemplateName>projects/{organization.name}/locations/{system.region.name}/templates/{id}</TemplateName> </ModelArmor>
The following table provides a high-level description of the child elements of
<ModelArmor>.
| Child Element | Required? | Description |
|---|---|---|
<TemplateName> |
Required | String The Model Armor template used to sanitize the user prompt. This value can be templated using the following Apigee flow variables: projects/{organization.name}/locations/{system.region.name}/templates/{id} |
<UserPromptSource>
The location of the payload for the user prompt text to be extracted. This field supports Apigee message template syntax, including the use of variables or JSON Path functions. For example:
{jsonpath('$.input.prompt.text',request.content,false)}
| Default Value | {jsonPath($.contents[-1].parts[-1].text,request.content,true)} |
| Required? | Optional |
| Type | String |
| Parent Element |
<SanitizeUserPrompt>
|
| Child Elements | None |
Flow variables
Flow variables can be used to configure dynamic runtime behavior for policies and flows, based on HTTP headers or message content, or the context available in the Flow. For more information about flow variables, see Flow variables reference.
The policy can set these read-only variables during execution.
| Variable name | Description |
|---|---|
SanitizeModelResponse.POLICY_NAME.templateUsed |
Specifies which model armor template is used. For example:
projects/myproject/locations/us-west1/templates/mytemplate |
SanitizeModelResponse.POLICY_NAME.userPrompt |
Specifies the prompt content used for the call to Model Armor to sanitize the content. |
SanitizeModelResponse.POLICY_NAME.modelResponse |
Specifies the LLM response content used for the call to Model Armor to sanitize the content. |
SanitizeModelResponse.POLICY_NAME.responseFromModelArmor |
Specifies the json response from Model Armor. |
SanitizeModelResponse.POLICY_NAME.filterMatchState |
Specifies whether the filter was matched. Valid values include MATCH_FOUND and NO_MATCH_FOUND. |
SanitizeModelResponse.POLICY_NAME.invocationResult |
A field indicating the outcome of the invocation, irrespective of match status. It can have
the following:
|
SanitizeModelResponse.POLICY_NAME.raiFilterResult.executionState |
Rai filter execution result. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED. |
SanitizeModelResponse.POLICY_NAME.raiFilterResult.matchState |
Rai filter match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND. |
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.inspectResult.executionState |
Sdp filter inspect result execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED. |
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.inspectResult.matchState |
Sdp filter inspect result match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND. |
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.deidentifyResult.executionState |
Sdp filter de identify result execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED. |
SanitizeModelResponse.POLICY_NAME.sdpFilterResult.deidentifyResult.matchState |
Sdp filter de identify result match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND. |
SanitizeModelResponse.POLICY_NAME.piAndJailbreakFilterResult.executionState |
Prompt injection and Jailbreak filter results execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED. |
SanitizeModelResponse.POLICY_NAME.piAndJailbreakFilterResult.matchState |
Prompt injection and Jailbreak filter results match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND. |
SanitizeModelResponse.POLICY_NAME.csamFilterFilterResult.executionState |
CSAM filter execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED. |
SanitizeModelResponse.POLICY_NAME.csamFilterFilterResult.matchState |
CSAM filter match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND. |
SanitizeModelResponse.POLICY_NAME.maliciousUriFilterResult.executionState |
Malicious URI filter execution state. Valid values include EXECUTION_SUCCESS and EXECUTION_SKIPPED. |
SanitizeModelResponse.POLICY_NAME.maliciousUriFilterResult.matchState |
Malicious URI filter match state. Valid values include MATCH_FOUND and NO_MATCH_FOUND. |
SanitizeModelResponse.POLICY_NAME.sanitizationMetadata.errorCode |
Custom overridden Error code if present in Model Armor response. |
SanitizeModelResponse.POLICY_NAME.sanitizationMetadata.errorMessage |
Custom overridden Error code if present in Model Armor response. |
SanitizeModelResponse.POLICY_NAME.csamFilterMatched/code> |
Boolean value indicating whether the CSAM filter matched. |
SanitizeModelResponse.POLICY_NAME.maliciousURIs |
Appended list of malicious URIs detected by the malicious URI filter. |
SanitizeModelResponse.POLICY_NAME.maliciousURIsDetected |
Boolean value indicating whether the malicious URI filter matched. |
SanitizeModelResponse.POLICY_NAME.matchesFound |
Boolean value indicating whether any of the filters matched. |
SanitizeModelResponse.POLICY_NAME.promptInjectionDetected |
Boolean value indicating whether the prompt injection filter matched. |
SanitizeModelResponse.POLICY_NAME.promptInjectionConfidence |
Confidence level of prompt injection detection. |
SanitizeModelResponse.POLICY_NAME.raiMatchesFound |
Boolean value indicating whether the RAI filter matched. |
SanitizeModelResponse.POLICY_NAME.requestSentToModelArmor |
Boolean value indicating whether a request was sent to Model Armor. |
SanitizeModelResponse.POLICY_NAME.sanitizeOperation |
Specifies the operation performed by the policy. Valid values include SANITIZE_USER_PROMPT
and SANITIZE_MODEL_RESPONSE. |
Error reference
This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee specific to the SanitizeUserPrompt policy. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults.
Runtime errors
These errors can occur when the policy executes.
| Fault code | HTTP status | Cause |
|---|---|---|
steps.sanitize.user.prompt.response.FilterMatched |
400 |
This error occurs if the user prompt does not pass the Model Armor template check. |
steps.sanitize.user.prompt.SanitizationResponseParsingFailed |
500 |
This error occurs if the Model Armor response cannot be parsed. |
steps.sanitize.user.prompt.FailedToExtractUserPrompt |
500 |
This error occurs if the automatic user prompt extraction for the default value failed. |
steps.sanitize.user.prompt.InternalError |
500 |
This error occurs if there is an internal server error. |
steps.sanitize.modelarmor.ModelArmorTemplateNameExtractionFailed |
500 |
This error occurs if the template name cannot be resolved. |
steps.sanitize.modelarmor.AuthenticationFailure |
500 |
This error occurs if the service account does not have permission to call the Model Armor API. |
steps.sanitize.modelarmor.ModelArmorAPIFailed |
500 |
This error occurs if the Model Armor API throws an error. |
steps.sanitize.modelarmor.ModelArmorCalloutError |
500 |
This error occurs if the Model Armor API call fails. |
steps.sanitize.modelarmor.ServiceUnavailable |
500 |
This error occurs if the Model Armor service is unavailable. |
Deployment errors
These errors can occur when you deploy a proxy containing this policy.
| Error name | Cause |
|---|---|
The ModelArmor/TemplateName element is required. |
Occurs if the <TemplateName> element in <ModelArmor> is not present. |
The TemplateName element value is required. |
Occurs if the <TemplateName> value is empty. |
Fault variables
These variables are set when this policy triggers an error at runtime. For more information, see What you need to know about policy errors.
| Variables | Where | Example |
|---|---|---|
fault.name="FAULT_NAME" |
FAULT_NAME is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. | fault.name Matches "UnresolvedVariable" |
SanitizeUserPrompt.POLICY_NAME.failed |
POLICY_NAME is the user-specified name of the policy that threw the fault. | SanitizeUserPrompt.sanitize-prompt.failed = true |
Example error response
{ "fault": { "faultstring": "SanitizeUserPrompt[sanitize-prompt]: unable to resolve variable [variable_name]", "detail": { "errorcode": "steps.sanitizeuserprompt.UnresolvedVariable" } } }
Example fault rule
<FaultRule name="SanitizeUserPrompt Faults">
<Step>
<Name>SUP-CustomSetVariableErrorResponse</Name>
<Condition>(fault.name = "SetVariableFailed")</Condition>
</Step>
<Condition>(sanitizeuserprompt.failed = true)</Condition>
</FaultRule>Model Armor template error code and error messages
The Model Armor template supports overriding error codes and error messages thrown by the SanitizeUserPrompt policy's API requests. If the user sets the overrides, then the Model Armor error codes and error messages will populate the flow variables.
For example, a response with Model Armor error codes and messages could look like the following:
{ "sanitizationResult": { "filterMatchState": "MATCH_FOUND", "filterResults": {...}, "sanitizationMetadata": { "errorCode": "890", "errorMessage": "get out" }, "invocationResult": "SUCCESS" } }
Schemas
Each policy type is defined by an XML schema (.xsd). For reference, policy schemas
are available on GitHub.