Rotate your GCP Key Version Resource ID¶

Note

Feature unavailable in Free and Shared-Tier Clusters

This feature is not available for M0 free clusters, M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Cluster), M2, and M5 Limitations.

Important

Serverless Instances are in Preview

Serverless instances are in preview and do not support this feature at this time. To learn more, see Serverless Instance Limitations.

When you use your own cloud provider KMS, Atlas automatically rotates the MongoDB master keys every 90 days. These keys are rotated on a rolling basis and the process does not require the data to be rewritten.

Atlas does not automatically rotate the Key Version Resource ID used for Google Cloud key management.

Atlas automatically creates an encryption key rotation alert to remind you to rotate your GCP Key Version Resource ID every 90 days by default when you enable Encryption at Rest for an Atlas project.

Prerequisites¶

You must create a new Service Account Key in the Google Cloud account associated with your Atlas project.

Procedure¶

The following procedure documents how to rotate your Atlas project Key Identifier by specifying a new Key Version Resource ID in Atlas.

Navigate to the Advanced page for your project.¶

If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
Click Advanced in the sidebar.

Click Rotate Keys .¶

Update the GCP Key details.¶

Click Google Cloud KMS if the Google Cloud KMS tab is not already active.
Expand Encryption Key Credentials if the Encryption Key Credentials dialog is not already displayed.
Enter the GCP Key Version Resource ID in the Key Identifier entry.
Include the fully-qualified resource name for a CryptoKeyVersion.
Example
projects/my-project-0/locations/us-east4/keyRings/my-key-ring-0/cryptoKeys/my-key-0/cryptoKeyVersions/1
The encryption key must belong to the Google Cloud Service Account Key configured for your Atlas project. Click the Service Account Key section to view the currently configured Service Account Key for the project.
Click Update Credentials.

Atlas displays a banner in the Atlas console during the Key Identifier rotation process.

Warning

Do not delete or disable the original Key Version Resource ID until your changes have deployed.

If the cluster uses Cloud Backups, do not delete or disable the original Key Version Resource ID until you ensure that no snapshots used that key for encryption.

Alerts¶

Atlas resets the encryption key rotation alert timer at the completion of this procedure.

To learn more about MongoDB Encryption at Rest, see Encryption at Rest in the MongoDB server documentation.
To learn more about Encryption at Rest with Cloud Backups, see Encryption at Rest using Customer Key Management.

← Customer Key Management with Google Cloud KMS Set up Database Auditing →