# Update Encryption at Rest Configuration in One Project **PATCH /api/atlas/v2/groups/{groupId}/encryptionAtRest** Updates the configuration for encryption at rest using the keys you manage through your cloud provider. MongoDB Cloud encrypts all storage even if you don't use your own key management. This resource requires the requesting Service Account or API Key to have the Project Owner role. This feature isn't available for `M0` free clusters, `M2`, `M5`, or serverless clusters. After you configure at least one Encryption at Rest using a Customer Key Management provider for the MongoDB Cloud project, Project Owners can enable Encryption at Rest using Customer Key Management for each MongoDB Cloud cluster for which they require encryption. The Encryption at Rest using Customer Key Management provider doesn't have to match the cluster cloud service provider. MongoDB Cloud doesn't automatically rotate user-managed encryption keys. Defer to your preferred Encryption at Rest using Customer Key Management provider's documentation and guidance for best practices on key rotation. MongoDB Cloud automatically creates a 90-day key rotation alert when you configure Encryption at Rest using Customer Key Management using your Key Management in an MongoDB Cloud project. MongoDB Cloud encrypts all storage whether or not you use your own key management. ## Servers - https://cloud.mongodb.com: https://cloud.mongodb.com () ## Authentication methods - Service accounts - Digest auth ## Parameters #### Path parameters - **groupId** (string) Unique 24-hexadecimal digit string that identifies your project. Use the [/groups](#tag/Projects/operation/listProjects) endpoint to retrieve all projects to which the authenticated user has access. **NOTE**: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups. #### Query parameters - **envelope** (boolean) Flag that indicates whether Application wraps the response in an `envelope` JSON object. Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query. Endpoints that return a list of results use the results object as an envelope. Application adds the status parameter to the response body. - **pretty** (boolean) Flag that indicates whether the response body should be in the prettyprint format. ## Body parameters Content-type: application/vnd.atlas.2023-01-01+json Required parameters depend on whether someone has enabled Encryption at Rest using Customer Key Management: If you have enabled Encryption at Rest using Customer Key Management (CMK), Atlas requires all of the parameters for the desired encryption provider. - To use AWS Key Management Service (KMS), MongoDB Cloud requires all the fields in the **awsKms** object. - To use Azure Key Vault, MongoDB Cloud requires all the fields in the **azureKeyVault** object. - To use Google Cloud Key Management Service (KMS), MongoDB Cloud requires all the fields in the **googleCloudKms** object For authentication, you must provide either serviceAccountKey (static credentials) or roleId (service-account–based authentication) Once roleId is configured, serviceAccountKey is no longer supported. If you enabled Encryption at Rest using Customer Key Management, administrators can pass only the changed fields for the **awsKms**, **azureKeyVault**, or **googleCloudKms** object to update the configuration to this endpoint. - **awsKms** (object) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. - **azureKeyVault** (object) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). - **enabledForSearchNodes** (boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project. - **googleCloudKms** (object) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). ## Responses ### 200: OK #### Body Parameters: application/vnd.atlas.2023-01-01+json (object) - **awsKms** (object) Amazon Web Services (AWS) KMS configuration details and encryption at rest configuration set for the specified project. - **azureKeyVault** (object) Details that define the configuration of Encryption at Rest using Azure Key Vault (AKV). - **enabledForSearchNodes** (boolean) Flag that indicates whether Encryption at Rest for Dedicated Search Nodes is enabled in the specified project. - **googleCloudKms** (object) Details that define the configuration of Encryption at Rest using Google Cloud Key Management Service (KMS). ### 400: Bad Request. #### Body Parameters: application/json (object) - **badRequestDetail** (object) Bad request detail. - **detail** (string) Describes the specific conditions or reasons that cause each type of error. - **error** (integer(int32)) HTTP status code returned with this error. - **errorCode** (string) Application error code returned with this error. - **parameters** (array[object]) Parameters used to give more information about the error. - **reason** (string) Application error message returned with this error. ### 401: Unauthorized. #### Body Parameters: application/json (object) - **badRequestDetail** (object) Bad request detail. - **detail** (string) Describes the specific conditions or reasons that cause each type of error. - **error** (integer(int32)) HTTP status code returned with this error. - **errorCode** (string) Application error code returned with this error. - **parameters** (array[object]) Parameters used to give more information about the error. - **reason** (string) Application error message returned with this error. ### 403: Forbidden. #### Body Parameters: application/json (object) - **badRequestDetail** (object) Bad request detail. - **detail** (string) Describes the specific conditions or reasons that cause each type of error. - **error** (integer(int32)) HTTP status code returned with this error. - **errorCode** (string) Application error code returned with this error. - **parameters** (array[object]) Parameters used to give more information about the error. - **reason** (string) Application error message returned with this error. ### 404: Not Found. #### Body Parameters: application/json (object) - **badRequestDetail** (object) Bad request detail. - **detail** (string) Describes the specific conditions or reasons that cause each type of error. - **error** (integer(int32)) HTTP status code returned with this error. - **errorCode** (string) Application error code returned with this error. - **parameters** (array[object]) Parameters used to give more information about the error. - **reason** (string) Application error message returned with this error. ### 409: Conflict. #### Body Parameters: application/json (object) - **badRequestDetail** (object) Bad request detail. - **detail** (string) Describes the specific conditions or reasons that cause each type of error. - **error** (integer(int32)) HTTP status code returned with this error. - **errorCode** (string) Application error code returned with this error. - **parameters** (array[object]) Parameters used to give more information about the error. - **reason** (string) Application error message returned with this error. ### 500: Internal Server Error. #### Body Parameters: application/json (object) - **badRequestDetail** (object) Bad request detail. - **detail** (string) Describes the specific conditions or reasons that cause each type of error. - **error** (integer(int32)) HTTP status code returned with this error. - **errorCode** (string) Application error code returned with this error. - **parameters** (array[object]) Parameters used to give more information about the error. - **reason** (string) Application error message returned with this error. [Powered by Bump.sh](https://bump.sh)