Navigation

Get Configuration for Encryption at Rest using Customer Key Management for One Project

Retrieves the current configuration details for Encryption at Rest using Customer Key Management for an Atlas project with one of the following providers:

Info With Circle IconCreated with Sketch.Note

Atlas encrypts all storage whether or not you use your own key management.

Info With Circle IconCreated with Sketch.Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project ID. For existing groups, your group/project ID remains the same. The resource and corresponding endpoints use the term groups.

Info With Circle IconCreated with Sketch.Note
Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

The Atlas API authenticates using HTTP Digest Authentication. Provide a programmatic API public key and corresponding private key as the username and password when constructing the HTTP request.

To learn how to configure API access for an Atlas project, see Configure Atlas API Access.

https://cloud.mongodb.com/api/atlas/v1.0

GET /groups/{PROJECT-ID}/encryptionAtRest
Path ElementNecessityDescription
PROJECT-IDRequiredUnique identifier for the project.

The following query parameters are optional:

Query ParameterTypeDescriptionDefault
prettybooleanDisplays response in a prettyprint format.false
envelopebooleanSpecifies whether or not to wrap the response in an envelope.false

This endpoint does not use HTTP request body parameters.

NameTypeDescription
awsKmsobjectSpecifies whether Encryption at Rest is enabled for an Atlas project and the AWS KMS configuration details.
awsKms.accessKeyIDstringThe IAM access key ID with permissions to access the customer master key specified by customerMasterKeyID.
awsKms.customerMasterKeyIDstringThe AWS customer master key used to encrypt and decrypt the MongoDB master keys.
awsKms.enabledbooleanSpecifies whether Encryption at Rest is enabled for an Atlas project.
awsKms.regionstringThe AWS region in which the AWS customer master key exists.
awsKms.validbooleanSpecifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.
azureKeyVaultobjectSpecifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.
azureKeyVault.azureEnvironmentstringThe Azure environment where the Azure account credentials reside.
azureKeyVault.clientIDstringThe client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.
azureKeyVault.enabledbooleanSpecifies whether Encryption at Rest is enabled for an Atlas project and the Azure Key Vault configuration details.
azureKeyVault.keyIdentifierstringThe unique identifier of a key in an Azure Key Vault.
azureKeyVault.keyVaultNamestringThe name of an Azure Key Vault containing your key.
azureKeyVault.resourceGroupNamestringThe name of the Azure Resource group that contains an Azure Key Vault.
azureKeyVault.subscriptionIDstringThe unique identifier associated with an Azure subscription.
azureKeyVault.tenantIDstringUnique identifier for an Azure AD tenant within an Azure subscription.
azureKeyVault.validbooleanSpecifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.
googleCloudKms.enabledbooleanSpecifies whether Encryption at Rest is enabled for an Atlas project using Google Cloud KMS.
googleCloudKms.keyVersionResourceIDstringKey Version Resource ID for your Google Cloud KMS.
googleCloudKms.validbooleanSpecifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.
curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT-ID}/encryptionAtRest?pretty=true"

The following example response contains Encryption at Rest using Customer Key Management configuration details for an Atlas project using AWS KMS :

1{
2 "awsKms" : {
3 "accessKeyID" : "AKIAIOSFODNN7EXAMPLE",
4 "customerMasterKeyID" : "030gce02-586d-48d2-a966-05ea954fde0g",
5 "enabled" : true,
6 "region" : "US_EAST_1",
7 "valid" : true
8 },
9 "azureKeyVault" : {
10 "clientID" : null,
11 "enabled" : false,
12 "keyIdentifier" : null,
13 "keyVaultName" : null,
14 "resourceGroupName" : null,
15 "subscriptionID" : null,
16 "tenantID" : "null",
17 "valid" : false
18 },
19 "googleCloudKms" : {
20 "enabled" : false,
21 "keyVersionResourceID" : null,
22 "valid" : false
23 }
24}
Give Feedback