Applies HMAC_SHA256 to hash values in the column.

  • sourceColumns – An array of existing columns.

  • secretId – The ARN of the Secrets Manager secret key to use to hash the source columns, or databrew!default.

  • secretVersion – Optional. Defaults to the latest secret version.

  • entityTypeFilter – Optional array of entity types. Can be used to encrypt only detected PII in free-text column.

  • createSecretIfMissing – Optional boolean. If true will attempt to create the secret on behalf of the caller.

{ "sourceColumns": ["phonenumber"], "secretId": "arn:aws:secretsmanager:us-east-1:012345678901:secret:mysecret", "entityTypeFilter": ["USA_ALL"] }

When working in the interactive experience, in addition to the project’s role, the console user must have permission to secretsmanager:GetSecretValue on the provided Secrets Manager secret.

Sample policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:us-east-1:012345678901:secret:mysecret" ] } ] }

You may also opt to use the DataBrew-created default secret by passing databrew!default as secretId and parameter createSecretIfMissing as true. This is not recommended for production. Anyone with the AwsGlueDataBrewFullAccessPolicy role can use the default secret.