Google Cloud DLP

3.34.0 verified Tue May 12 auth: no python install: verified quickstart: stale

The `google-cloud-dlp` Python client library provides programmatic access to the Google Cloud Data Loss Prevention (DLP) API, now part of Sensitive Data Protection. It enables scanning, discovering, classifying, and redacting privacy-sensitive data (like PII) within text, images, and various Google Cloud storage repositories such as BigQuery and Cloud Storage. The library is currently at version 3.34.0 and follows the continuous release cadence typical of Google Cloud client libraries, offering frequent updates and enhancements.

pip install google-cloud-dlp

Common errors

error google.api_core.exceptions.PermissionDenied: 403 Permission denied. The DLP API has not been used in project [PROJECT_ID] before or it is disabled. ↓

cause The Google Cloud Data Loss Prevention (DLP) API is not enabled for the specified Google Cloud project, or the service account lacks the necessary permissions to access the API.

fix

1. Enable the DLP API for your project: gcloud services enable dlp.googleapis.com. 2. Ensure your service account has the roles/dlp.user (DLP User) role or a custom role with dlp.jobs.create, serviceusage.services.use permissions.

error ModuleNotFoundError: No module named 'google.cloud.dlp_v2' ↓

cause This error typically indicates that the `google-cloud-dlp` library is not installed, or there's a Python environment issue where the installed package is not accessible, or an older version of the library is installed with a different module structure.

fix

Ensure the google-cloud-dlp library is correctly installed in your active Python environment: pip install google-cloud-dlp. If using a virtual environment, activate it first. If the error persists, check for conflicting package versions or try reinstalling Python.

error AttributeError: 'DlpServiceClient' object has no attribute 'project_path' ↓

cause This error often occurs due to a version incompatibility between the `google-cloud-dlp` library and the code being executed. Methods or attributes might have changed in different library versions.

fix

Upgrade your google-cloud-dlp library to the latest version or a compatible version. If you are following specific code samples, ensure your library version matches the documentation's requirements. pip install --upgrade google-cloud-dlp or pip install google-cloud-dlp==<compatible_version>.

error google.api_core.exceptions.ResourceExhausted: 429 Quota exceeded for quota group 'DlpRequestsPerMinutePerProject' and limit 'Dlp requests per minute per project'. ↓

cause The number of requests to the DLP API has exceeded the allocated quota for your project within a given time frame.

fix

Reduce the rate of your API requests, implement exponential backoff and retry logic, or request a quota increase through the Google Cloud Console's 'IAM & Admin' -> 'Quotas' page if your usage justifies it.

error The request concerns location 'us-central1' but was sent to location 'global'. Regional APIs must be called with a regional endpoint. ↓

cause DLP API operations must be directed to the correct regional endpoint if the resources (e.g., Cloud Storage buckets, BigQuery datasets, KMS keys) or the nature of the operation requires a specific region, but the client was initialized or the request was made to the global endpoint.

fix

When creating the DlpServiceClient, specify the regional endpoint. For example, client_options=ClientOptions(api_endpoint='us-central1-dlp.googleapis.com') for us-central1. Ensure all related resources (like KMS keys) are in the same region.

Warnings

gotcha Authentication requires enabling the DLP API and typically using Application Default Credentials (ADC) with a service account. Set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the path of your service account key file, and ensure the service account has the `roles/dlp.user` role. API keys are supported for some methods but not for `deidentify` or `reidentify` requests that use Cloud Key Management Service (KMS) wrapped keys. ↓

fix Enable the DLP API in your GCP project. Create a service account with `roles/dlp.user`, download its JSON key, and set `export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json`.

breaking Python 3.6 and older versions are no longer supported. The last version compatible with Python 2.7 was `google-cloud-dlp==1.1.0`. ↓

fix Upgrade your Python environment to version 3.7 or newer.

gotcha The library's logging functionality can emit RPC events that may contain sensitive information. Access to these logs should be restricted, and users should not depend on the immutability of log message content or levels. ↓

fix Implement robust access controls for any stored logs generated by the `google-cloud-dlp` client library.

gotcha When operating behind a TLS-intercepting proxy, gRPC-based Google Cloud client libraries (including DLP) may encounter SSL certificate trust issues. ↓

fix The recommended solution is to bypass the proxy for Google API endpoints by enabling Private Google Access in your VPC subnet.

gotcha Many DLP API operations, such as `inspect_content` and `deidentify_content`, require a `parent` argument in the format `projects/{project_id}`. Forgetting this or providing an incorrect project ID will result in errors. ↓

fix Always construct the `parent` argument correctly using `client.project_path(project_id)` or `f'projects/{project_id}'`.

gotcha It is crucial to explicitly enable the Cloud Data Loss Prevention API in your Google Cloud project via the GCP Console or `gcloud services enable dlp.googleapis.com` before using the client library. Otherwise, you will receive `API not enabled` errors. ↓

fix Navigate to the Google Cloud Console's 'APIs & Services' dashboard and enable the 'Cloud Data Loss Prevention API' for your project.

Install compatibility verified last tested: 2026-05-12

python os / libc status wheel install import disk

3.10 alpine (musl) - - 2.56s 70.1M

3.10 slim (glibc) - - 1.13s 68M

3.11 alpine (musl) - - 3.38s 75.0M

3.11 slim (glibc) - - 1.93s 73M

3.12 alpine (musl) - - 3.16s 66.5M

3.12 slim (glibc) - - 2.17s 64M

3.13 alpine (musl) - - 3.08s 66.0M

3.13 slim (glibc) - - 2.22s 64M

3.9 alpine (musl) - - 2.39s 70.2M

3.9 slim (glibc) - - 1.32s 68M

Imports

DlpServiceClient

wrong

from google.cloud.dlp import DlpServiceClient

correct

from google.cloud import dlp_v2
client = dlp_v2.DlpServiceClient()

The client is typically accessed via the versioned submodule `dlp_v2`.

Quickstart stale last tested: 2026-04-23

This quickstart demonstrates how to initialize the DLP client and inspect a string of text for sensitive information like email addresses and phone numbers. Ensure your Google Cloud Project ID is set as the `GOOGLE_CLOUD_PROJECT` environment variable for authentication, and the DLP API is enabled for your project.

import os
from google.cloud import dlp_v2
from google.cloud.dlp_v2 import types

def inspect_text(project_id: str, text_content: str):
    """
    Inspects a string of text for sensitive data using Google Cloud DLP.

    Args:
        project_id: The Google Cloud project ID.
        text_content: The string to inspect.
    """
    if not project_id:
        print("GOOGLE_CLOUD_PROJECT environment variable or project_id not set.")
        return

    client = dlp_v2.DlpServiceClient()

    # Construct the item to inspect
    item = {"value": text_content}

    # The info types to search for in the content.
    # See https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference
    info_types = [{"name": "EMAIL_ADDRESS"}, {"name": "PHONE_NUMBER"}]

    # The minimum likelihood to constitute a match.
    min_likelihood = types.Likelihood.POSSIBLE

    # Configuration for the inspection request
    inspect_config = {
        "info_types": info_types,
        "min_likelihood": min_likelihood,
        "limits": {"max_findings_per_request": 0} # 0 for no limit
    }

    # Construct the parent path
    parent = f"projects/{project_id}"

    # Call the API
    try:
        response = client.inspect_content(
            request={
                "parent": parent,
                "inspect_config": inspect_config,
                "item": item,
            }
        )

        if response.result.findings:
            print("Findings:")
            for finding in response.result.findings:
                if finding.quote:
                    print(f"  Quote: {finding.quote}")
                print(f"  Info type: {finding.info_type.name}")
                print(f"  Likelihood: {types.Likelihood(finding.likelihood).name}")
        else:
            print("No findings.")

    except Exception as e:
        print(f"Error during DLP inspection: {e}")

if __name__ == "__main__":
    # Set your Google Cloud Project ID as an environment variable or replace 'your-gcp-project-id'
    project = os.environ.get("GOOGLE_CLOUD_PROJECT", "") 
    if not project:
        raise ValueError("Please set the GOOGLE_CLOUD_PROJECT environment variable or provide a project_id.")
    
    sensitive_text = "My email is test@example.com and my phone number is (123) 456-7890."
    inspect_text(project, sensitive_text)