Andrea Test

Return One Configuration for Encryption at Rest using Customer-Managed Keys for One Project

GET /api/atlas/v2/groups/{groupId}/encryptionAtRest
Digest auth

Returns the configuration for encryption at rest using the keys you manage through your cloud provider. MongoDB Cloud encrypts all storage even if you don't use your own key management. This resource requires the requesting API Key to have the Project Owner role.

LIMITED TO M10 OR GREATER: MongoDB Cloud limits this feature to dedicated cluster tiers of M10 and greater.

Path parameters

  • groupId string Required

    Unique 24-hexadecimal digit string that identifies your project. Use the /groups endpoint to retrieve all projects to which the authenticated user has access.

    NOTE: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.

    Minimum length is 24, maximum length is 24. Format should match the following pattern: ^([a-f0-9]{24})$.

Query parameters

  • envelope boolean

    Flag that indicates whether Application wraps the response in an envelope JSON object. Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query. Endpoints that return a list of results use the results object as an envelope. Application adds the status parameter to the response body.

    Default value is false.

  • pretty boolean

    Flag that indicates whether the response body should be in the prettyprint format.

    Default value is false.

Responses

  • 200 application/vnd.atlas.2023-01-01+json

    OK

    Hide response attributes Show response attributes object
    • awsKms object

      Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project.

      Amazon Web Services Key Management Service
      Hide awsKms attributes Show awsKms attributes object
      • accessKeyID string

        Unique alphanumeric string that identifies an Identity and Access Management (IAM) access key with permissions required to access your Amazon Web Services (AWS) Customer Master Key (CMK).

        Minimum length is 16, maximum length is 128.

      • customerMasterKeyID string

        Unique alphanumeric string that identifies the Amazon Web Services (AWS) Customer Master Key (CMK) you used to encrypt and decrypt the MongoDB master keys.

        Minimum length is 1, maximum length is 2048.

      • enabled boolean

        Flag that indicates whether someone enabled encryption at rest for the specified project through Amazon Web Services (AWS) Key Management Service (KMS). To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.

      • region string

        Physical location where MongoDB Cloud deploys your AWS-hosted MongoDB cluster nodes. The region you choose can affect network latency for clients accessing your databases. When MongoDB Cloud deploys a dedicated cluster, it checks if a VPC or VPC connection exists for that provider and region. If not, MongoDB Cloud creates them as part of the deployment. MongoDB Cloud assigns the VPC a CIDR block. To limit a new VPC peering connection to one CIDR block and region, create the connection first. Deploy the cluster after the connection starts.

        Values are US_GOV_WEST_1, US_GOV_EAST_1, US_EAST_1, US_EAST_2, US_WEST_1, US_WEST_2, CA_CENTRAL_1, EU_NORTH_1, EU_WEST_1, EU_WEST_2, EU_WEST_3, EU_CENTRAL_1, EU_CENTRAL_2, AP_EAST_1, AP_NORTHEAST_1, AP_NORTHEAST_2, AP_NORTHEAST_3, AP_SOUTHEAST_1, AP_SOUTHEAST_2, AP_SOUTHEAST_3, AP_SOUTHEAST_4, AP_SOUTH_1, AP_SOUTH_2, SA_EAST_1, CN_NORTH_1, CN_NORTHWEST_1, ME_SOUTH_1, ME_CENTRAL_1, AF_SOUTH_1, EU_SOUTH_1, EU_SOUTH_2, IL_CENTRAL_1, CA_WEST_1, or GLOBAL.

      • valid boolean

        Flag that indicates whether the Amazon Web Services (AWS) Key Management Service (KMS) encryption key can encrypt and decrypt data.

    • azureKeyVault object

      Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV).

      Azure Key Vault
      Hide azureKeyVault attributes Show azureKeyVault attributes object
      • azureEnvironment string

        Azure environment in which your account credentials reside.

        Values are AZURE, AZURE_CHINA, or AZURE_GERMANY.

      • clientID string(uuid)

        Unique 36-hexadecimal character string that identifies an Azure application associated with your Azure Active Directory tenant.

      • enabled boolean

        Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.

      • keyIdentifier string

        Web address with a unique key that identifies for your Azure Key Vault.

      • keyVaultName string

        Unique string that identifies the Azure Key Vault that contains your key.

      • requirePrivateNetworking boolean

        Enable connection to your Azure Key Vault over private networking.

      • resourceGroupName string

        Name of the Azure resource group that contains your Azure Key Vault.

      • subscriptionID string(uuid)

        Unique 36-hexadecimal character string that identifies your Azure subscription.

      • tenantID string(uuid)

        Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription.

      • valid boolean

        Flag that indicates whether the Azure encryption key can encrypt and decrypt data.

    • googleCloudKms object

      Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS).

      Google Cloud Key Management Service
      Hide googleCloudKms attributes Show googleCloudKms attributes object
      • enabled boolean

        Flag that indicates whether someone enabled encryption at rest for the specified project. To disable encryption at rest using customer key management and remove the configuration details, pass only this parameter with a value of false.

      • keyVersionResourceID string

        Resource path that displays the key version resource ID for your Google Cloud KMS.

      • valid boolean

        Flag that indicates whether the Google Cloud Key Management Service (KMS) encryption key can encrypt and decrypt data.
  • 404 application/json

    Not Found.

    Hide response attributes Show response attributes object
    • detail string

      Describes the specific conditions or reasons that cause each type of error.

    • error integer(int32)

      HTTP status code returned with this error.

      External documentation
    • errorCode string

      Application error code returned with this error.

    • parameters array[object]

      Parameters used to give more information about the error.

    • reason string

      Application error message returned with this error.
  • 500 application/json

    Internal Server Error.

    Hide response attributes Show response attributes object
    • detail string

      Describes the specific conditions or reasons that cause each type of error.

    • error integer(int32)

      HTTP status code returned with this error.

      External documentation
    • errorCode string

      Application error code returned with this error.

    • parameters array[object]

      Parameters used to give more information about the error.

    • reason string

      Application error message returned with this error.
GET /api/atlas/v2/groups/{groupId}/encryptionAtRest 
atlas api encryptionAtRestUsingCustomerKeyManagement getEncryptionAtRest --help
import (
	"os"
	"context"
	"log"
	sdk "go.mongodb.org/atlas-sdk/v20230101001/admin"
)

func main() {
	ctx := context.Background()
	clientID := os.Getenv("MONGODB_ATLAS_CLIENT_ID")
	clientSecret := os.Getenv("MONGODB_ATLAS_CLIENT_SECRET")

	// See https://dochub.mongodb.org/core/atlas-go-sdk-oauth
	client, err := sdk.NewClient(sdk.UseOAuthAuth(clientID, clientSecret))

	if err != nil {
		log.Fatalf("Error: %v", err)
	}

	params = &sdk.GetEncryptionAtRestApiParams{}
	sdkResp, httpResp, err := client.EncryptionatRestusingCustomerKeyManagementApi.
		GetEncryptionAtRestWithParams(ctx, params).
		Execute()
}

curl --include --header "Authorization: Bearer ${ACCESS_TOKEN}" \
  --header "Accept: application/vnd.atlas.2023-01-01+json" \
  -X GET "https://cloud.mongodb.com/api/atlas/v2/groups/{groupId}/encryptionAtRest?pretty=true"
curl --user "${PUBLIC_KEY}:${PRIVATE_KEY}" \
  --digest --include \
  --header "Accept: application/vnd.atlas.2023-01-01+json" \
  -X GET "https://cloud.mongodb.com/api/atlas/v2/groups/{groupId}/encryptionAtRest?pretty=true"
Response examples (200) 
{
  "awsKms": {
    "accessKeyID": "019dd98d94b4bb778e7552e4",
    "customerMasterKeyID": "string",
    "enabled": true,
    "region": "US_GOV_WEST_1",
    "valid": true
  },
  "azureKeyVault": {
    "azureEnvironment": "AZURE",
    "clientID": "string",
    "enabled": true,
    "keyIdentifier": "https://EXAMPLEKeyVault.vault.azure.net/keys/EXAMPLEKey/d891821e3d364e9eb88fbd3d11807b86",
    "keyVaultName": "string",
    "requirePrivateNetworking": true,
    "resourceGroupName": "string",
    "subscriptionID": "string",
    "tenantID": "string",
    "valid": true
  },
  "googleCloudKms": {
    "enabled": true,
    "keyVersionResourceID": "projects/my-project-common-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1",
    "valid": true
  }
}
Response examples (404) 
{
  "error": 404,
  "detail": "(This is just an example, the exception may not be related to this endpoint) Cannot find resource AWS",
  "reason": "Not Found",
  "errorCode": "RESOURCE_NOT_FOUND"
}
Response examples (500) 
{
  "error": 500,
  "detail": "(This is just an example, the exception may not be related to this endpoint)",
  "reason": "Internal Server Error",
  "errorCode": "UNEXPECTED_ERROR"
}