Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, see Sensitive Data Protection overview.
Stay organized with collections
Save and categorize content based on your preferences.
IAM permissions
Common permissions
Some methods do not have Sensitive Data Protection-specific permissions. Instead,
they use common ones, as the methods can cause billable events, but do not
access any protected cloud resources.
All actions that trigger billable events such as the
projects.content
methods require the serviceusage.services.use permission for the project
that's specified in parent. The roles/editor, roles/owner, and
roles/dlp.user roles contain the required permission or you can define your
own custom roles containing this permission.
This permission ensures you are authorized to bill the project you specify.
Service account
To access both Google Cloud resources and execute calls to
Sensitive Data Protection,
Sensitive Data Protection uses the credentials of the
Cloud Data Loss Prevention Service Agent to authenticate to other APIs. A
service agent is a special type of service account that runs internal Google
processes on your behalf. The service agent is identifiable using the email:
The Cloud Data Loss Prevention Service Agent is automatically granted common
permissions on the project that are needed for inspecting resources and is
listed in the IAM section of the Google Cloud console. The service agent exists
indefinitely with the project and is only deleted when the project is deleted.
Sensitive Data Protection relies on this service agent, so you should not remove
it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-19 UTC."],[],[],null,["# Sensitive Data Protection IAM permissions\n\nIAM permissions\n\n\u003cbr /\u003e\n\nCommon permissions\n------------------\n\nSome methods do not have Sensitive Data Protection-specific permissions. Instead,\nthey use common ones, as the methods can cause billable events, but do not\naccess any protected cloud resources.\n\nAll actions that trigger billable events such as the\n[`projects.content`](/sensitive-data-protection/docs/reference/rest/v2/projects.content)\nmethods require the `serviceusage.services.use` permission for the project\nthat's specified in `parent`. The `roles/editor`, `roles/owner`, and\n`roles/dlp.user` roles contain the required permission or you can define your\nown [custom roles](/iam/docs/creating-custom-roles) containing this permission.\n\nThis permission ensures you are authorized to bill the project you specify.\n\nService account\n---------------\n\nTo access both Google Cloud resources and execute calls to\nSensitive Data Protection,\nSensitive Data Protection uses the credentials of the\nCloud Data Loss Prevention Service Agent to authenticate to other APIs. A\nservice agent is a special type of service account that runs internal Google\nprocesses on your behalf. The service agent is identifiable using the email: \n\n```\nservice-PROJECT_NUMBER@dlp-api.iam.gserviceaccount.com\n```\n\nThe Cloud Data Loss Prevention Service Agent is created the first time it is\nneeded. You can create it in advance by making a call to\n[`InspectContent`](/sensitive-data-protection/docs/reference/rest/v2/projects.content/inspect): \n\n```bash\ncurl --request POST \\\n \"https://dlp.googleapis.com/v2/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/us-central1/content:inspect\" \\\n --header \"X-Goog-User-Project: \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\" \\\n --header \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n --header 'Accept: application/json' \\\n --header 'Content-Type: application/json' \\\n --data '{\"item\":{\"value\":\"google@google.com\"}}' \\\n --compressed\n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the [project ID](/resource-manager/docs/creating-managing-projects#before_you_begin).\n\nThe Cloud Data Loss Prevention Service Agent is automatically granted common\npermissions on the project that are needed for inspecting resources and is\nlisted in the IAM section of the Google Cloud console. The service agent exists\nindefinitely with the project and is only deleted when the project is deleted.\nSensitive Data Protection relies on this service agent, so you should not remove\nit.\n| **Note:** If you are using Sensitive Data Protection to scan critical resources, such as those protected by additional custom Identity and Access Management roles, you must assign those additional IAM roles to the Cloud Data Loss Prevention Service Agent. For example, if you want to use Sensitive Data Protection to inspect files in Google Cloud that are restricted to only a subset of individuals, you must grant the appropriate role to the Cloud Data Loss Prevention Service Agent.\n| **Warning:** If you remove the Cloud Data Loss Prevention Service Agent or revoke its roles, all [jobs](/sensitive-data-protection/docs/reference/rest/v2/projects.dlpJobs) and [job triggers](/sensitive-data-protection/docs/reference/rest/v2/projects.jobTriggers) will fail.\n\nFor more information on how service accounts are used in data profiling\noperations, see [Service agent container and service agent](/sensitive-data-protection/docs/data-profiles#service-agent-container).\n\nJob permissions\n---------------\n\nJob trigger permissions\n-----------------------\n\nInspection template permissions\n-------------------------------\n\nDe-identification template permissions\n--------------------------------------\n\nData profile permissions\n------------------------\n\nEstimate permissions\n--------------------\n\nStored infoType permissions\n---------------------------\n\nSubscription permissions\n------------------------\n\nChart permissions\n-----------------\n\nMiscellaneous permissions\n-------------------------"]]