API >
API Resources >
Encryption at Rest >
Get Configuration for Encryption at Rest for a Project

Get Configuration for Encryption at Rest for a Project¶

On this page

Syntax
Response
Example Request
Example Response

Retrieves the current configuration details for Encryption at Rest for an Atlas project.

Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project ID. For existing groups, your group/project ID remains the same. The resource and corresponding endpoints use the term groups.

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

The Atlas API uses HTTP Digest Authentication. Provide a programmatic API public key and corresponding private key as the username and password when constructing the HTTP request.

For complete documentation on configuring API access for an Atlas project, see Configure Atlas API Access.

Base URL: https://cloud.mongodb.com/api/atlas/v1.0

Syntax¶

copy

GET /groups/{GROUP-ID}/encryptionAtRest

Request Path Parameters¶

Path Element	Required/Optional	Description
`GROUP-ID`	Required.	The unique identifier for the project.

Request Query Parameters¶

The following query parameters are optional:

Query Parameter	Type	Description	Default
`pretty`	boolean	Displays response in a prettyprint format.	`false`
`envelope`	boolean	Specifies whether or not to wrap the response in an envelope.	`false`

Request Body Parameters¶

This endpoint does not use HTTP request body parameters.

Response¶

Name	Type	Description
`awsKms`	object	Specifies whether Encryption at Rest is enabled for an Atlas project and the AWS KMS configuration details.
`awsKms.accessKeyID`	string	The IAM access key ID with permissions to access the customer master key specified by `customerMasterKeyID`.
`awsKms.customerMasterKeyID`	string	The AWS customer master key used to encrypt and decrypt the MongoDB master keys.
`awsKms.enabled`	boolean	Specifies whether Encryption at Rest is enabled for an Atlas project.
`awsKms.region`	string	The AWS region in which the AWS customer master key exists.
`azureKeyVault`	object	Specifies Azure Key Vault configuration details and whether Encryption at Rest is enabled for an Atlas project.
`azureKeyVault.azureEnvironment`	string	The Azure environment where the Azure account credentials reside.
`azureKeyVault.clientID`	string	The client ID, also known as the application ID, for an Azure application associated with the Azure AD tenant.
`azureKeyVault.enabled`	boolean	Specifies whether Encryption at Rest is enabled for an Atlas project and the Azure Key Vault configuration details.
`azureKeyVault.keyIdentifier`	string	The unique identifier of a key in an Azure Key Vault.
`azureKeyVault.keyVaultName`	string	The name of an Azure Key Vault containing your key.
`azureKeyVault.resourceGroupName`	string	The name of the Azure Resource group that contains an Azure Key Vault.
`azureKeyVault.subscriptionID`	string	The unique identifier associated with an Azure subscription.
`azureKeyVault.tenantID`	string	Unique identifier for an Azure AD tenant within an Azure subscription.
`googleCloudKms.enabled`	boolean	Specifies whether Encryption at Rest is enabled for an Atlas project using Google Cloud KMS.
`googleCloudKms.keyVersionResourceID`	string	Key Version Resource ID for your Google Cloud KMS.

Example Request¶

copy

curl -X GET -i -u "{PUBLIC-KEY}:{PRIVATE-KEY}" --digest \
 "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/encryptionAtRest?pretty=true"

Example Response¶

AWS KMS¶

The following example response contains Encryption at Rest configuration details for an Atlas project using AWS KMS:

copy

{
  "awsKms" : {
    "accessKeyID" : "AKIAIOSFODNN7EXAMPLE",
    "customerMasterKeyID" : "030gce02-586d-48d2-a966-05ea954fde0g",
    "enabled" : true,
    "region" : "US_EAST_1"
  },
  "azureKeyVault" : {
    "clientID" : null,
    "enabled" : false,
    "keyIdentifier" : null,
    "keyVaultName" : null,
    "resourceGroupName" : null,
    "subscriptionID" : null,
    "tenantID" : "null"
  },
  "googleCloudKms" : {
    "enabled" : false,
    "keyVersionResourceID" : null
  }
}

Azure Key Vault¶

The following example response contains Encryption at Rest configuration details for an Atlas project using Azure Key Vault:

copy

{
  "awsKms" : {
    "accessKeyID" : null,
    "customerMasterKeyID" : null,
    "enabled" : false,
    "region" : null
  },
  "azureKeyVault" : {
    "azureEnvironment" : "AZURE",
    "clientID" : "g54f9e2-89e3-40fd-8188-EXAMPLEID",
    "enabled" : true,
    "keyIdentifier" : "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
    "keyVaultName" : "EXAMPLEKeyVault",
    "resourceGroupName" : "ExampleRGName",
    "subscriptionID" : "0ec944e3-g725-44f9-a147-EXAMPLEID",
    "tenantID" : "e8e4b6ba-ff32-4c88-a9af-EXAMPLEID"
  },
  "googleCloudKms" : {
    "enabled" : false,
    "keyVersionResourceID" : null
  }
}

Google Cloud KMS¶

The following example response contains Encryption at Rest configuration details for an Atlas project using Google Cloud KMS:

copy

{
  "awsKms" : {
    "accessKeyID" : null,
    "customerMasterKeyID" : null,
    "enabled" : false,
    "region" : null
  },
   "azureKeyVault" : {
     "clientID" : null,
     "enabled" : false,
     "keyIdentifier" : null,
     "keyVaultName" : null,
     "resourceGroupName" : null,
     "subscriptionID" : null,
     "tenantID" : "null"
   },
   "googleCloudKms" : {
     "enabled" : true,
     "keyVersionResourceID" : "projects/my-project/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1"
   }
 }

← Enable and Configure Encryption at Rest for a Project Atlas Users →