• API >
• API Resources >
• Encryption at Rest using Customer Key Management >
• Get Configuration for Encryption at Rest using Customer Key Management for One Project

Get Configuration for Encryption at Rest using Customer Key Management for One Project

Retrieves the current configuration details for Encryption at Rest using Customer Key Management for an Atlas project with one of the following providers:

• Amazon Web Services Key Management Service
• Azure Key Vault
• Google Cloud KMS

Note

Atlas encrypts all storage whether or not you use your own key management.

Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project ID. For existing groups, your group/project ID remains the same. The resource and corresponding endpoints use the term groups.

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

The Atlas API authenticates using HTTP Digest Authentication. Provide a programmatic API public key and corresponding private key as the username and password when constructing the HTTP request.

To learn how to configure API access for an Atlas project, see Configure Atlas API Access.

Base URL: https://cloud.mongodb.com/api/atlas/v1.0

Syntax

copy

GET /groups/{PROJECT-ID}/encryptionAtRest

Request Path Parameters

Path Element	Necessity	Description
PROJECT-ID	Required	Unique identifier for the project.

Request Query Parameters

The following query parameters are optional:

Query Parameter	Type	Description	Default
pretty	boolean	Displays response in a prettyprint format.	false
envelope	boolean	Specifies whether or not to wrap the response in an envelope.	false

Request Body Parameters

This endpoint does not use HTTP request body parameters.

Response

Name	Type	Description
awsKms	object	Specifies whether Encryption at Rest is enabled for an Atlas project and the AWS KMS configuration details.
awsKms.accessKeyID	string	The IAM access key ID with permissions to access the customer master key specified by customerMasterKeyID.
awsKms.customerMasterKeyID	string	The AWS customer master key used to encrypt and decrypt the MongoDB master keys.
awsKms.enabled	boolean	Specifies whether Encryption at Rest is enabled for an Atlas project.
awsKms.region	string	The AWS region in which the AWS customer master key exists.
awsKms.valid	boolean	Specifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.
azureKeyVault	object	Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.
azureKeyVault.azureEnvironment	string	The Azure environment where the Azure account credentials reside.
azureKeyVault.clientID	string	The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.
azureKeyVault.enabled	boolean	Specifies whether Encryption at Rest is enabled for an Atlas project and the Azure Key Vault configuration details.
azureKeyVault.keyIdentifier	string	The unique identifier of a key in an Azure Key Vault.
azureKeyVault.keyVaultName	string	The name of an Azure Key Vault containing your key.
azureKeyVault.resourceGroupName	string	The name of the Azure Resource group that contains an Azure Key Vault.
azureKeyVault.subscriptionID	string	The unique identifier associated with an Azure subscription.
azureKeyVault.tenantID	string	Unique identifier for an Azure AD tenant within an Azure subscription.
azureKeyVault.valid	boolean	Specifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.
googleCloudKms.enabled	boolean	Specifies whether Encryption at Rest is enabled for an Atlas project using Google Cloud KMS.
googleCloudKms.keyVersionResourceID	string	Key Version Resource ID for your Google Cloud KMS.
googleCloudKms.valid	boolean	Specifies whether the encryption key set for the provider is valid and may be used to encrypt and decrypt data. This field is a system-controlled status report and is read-only.

Example Request

copy

curl --user "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
     --header "Accept: application/json" \
     --header "Content-Type: application/json" \
     --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT-ID}/encryptionAtRest?pretty=true"

Example Response

The following example response contains Encryption at Rest using Customer Key Management configuration details for an Atlas project using AWS KMS:

copy

{
  "awsKms" : {
    "accessKeyID" : "AKIAIOSFODNN7EXAMPLE",
    "customerMasterKeyID" : "030gce02-586d-48d2-a966-05ea954fde0g",
    "enabled" : true,
    "region" : "US_EAST_1",
    "valid" : true
  },
  "azureKeyVault" : {
    "clientID" : null,
    "enabled" : false,
    "keyIdentifier" : null,
    "keyVaultName" : null,
    "resourceGroupName" : null,
    "subscriptionID" : null,
    "tenantID" : "null",
    "valid" : false
  },
  "googleCloudKms" : {
    "enabled" : false,
    "keyVersionResourceID" : null,
    "valid" : false
  }
}

The following example response contains Encryption at Rest using Customer Key Management configuration details for an Atlas project using Azure Key Vault:

copy

{
  "awsKms" : {
    "accessKeyID" : null,
    "customerMasterKeyID" : null,
    "enabled" : false,
    "region" : null,
     "valid" : false
  },
  "azureKeyVault" : {
    "azureEnvironment" : "AZURE",
    "clientID" : "g54f9e2-89e3-40fd-8188-EXAMPLEID",
    "enabled" : true,
    "keyIdentifier" : "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
    "keyVaultName" : "EXAMPLEKeyVault",
    "resourceGroupName" : "ExampleRGName",
    "subscriptionID" : "0ec944e3-g725-44f9-a147-EXAMPLEID",
    "tenantID" : "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID",
     "valid" : true
  },
  "googleCloudKms" : {
    "enabled" : false,
    "keyVersionResourceID" : null,
     "valid" : false
  }
}

The following example response contains Encryption at Rest using Customer Key Management configuration details for an Atlas project using GCP KMS:

copy

{
  "awsKms" : {
    "accessKeyID" : null,
    "customerMasterKeyID" : null,
    "enabled" : false,
    "region" : null,
     "valid" : false
  },
   "azureKeyVault" : {
     "clientID" : null,
     "enabled" : false,
     "keyIdentifier" : null,
     "keyVaultName" : null,
     "resourceGroupName" : null,
     "subscriptionID" : null,
     "tenantID" : "null",
     "valid" : false
   },
   "googleCloudKms" : {
     "enabled" : true,
     "keyVersionResourceID" : "projects/my-project/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
     "valid" : true
   }
 }

←   Enable and Configure Encryption at Rest using Customer Key Management for One Project Atlas Users  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.