Navigation

Rotate your GCP Key Version Resource ID

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas does not automatically rotate the Key Version Resource ID used for GCP key management.

Atlas automatically creates an encryption key rotation alert once you configure customer key management for a project.

Prerequisites

You must create a new Service Account Key in the GCP account associated with your Atlas project.

Procedure

The following procedure documents how to rotate your Atlas project Key Identifier by specifying a new Key Version Resource ID in Atlas.

1

Log into Atlas.

2

Select a project from the Context menu.

3

In the Security section of the left navigation, click Advanced.

4

Click Rotate Keys edit icon .

5

Click Google Cloud KMS.

Skip this step if the Google Cloud KMS tab is already active.

6

Expand Encryption Key Credentials.

Skip this step if the Encryption Key Credentials dialog is already in view.

7

Enter the GCP Key Version Resource ID in the Key Identifier entry.

Enter the fully-qualified resource name for a CryptoKeyVersion.

For example:

projects/my-project-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1

The encryption key must belong to the GCP Service Account Key configured for your Atlas project. Click the Service Account Key section to view the currently configured Service Account Key for the project.

8

Click Update Credentials.

Atlas displays a banner in the Atlas UI during the Key Identifier rotation process.

Warning

Do not delete or disable the original Key Version Resource ID until your changes have deployed.

If the cluster uses Cloud Provider Snapshots, do not delete or disable the original Key Version Resource ID until you ensure that no snapshots used that key for encryption.

Alerts

Atlas resets the encryption key rotation alert timer at the completion of this procedure.