> ## Documentation Index
> Fetch the complete documentation index at: https://www.cockroachlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable CMEK for a cluster

> Can be used by the following roles assigned at the organization, folder or cluster scope:
- CLUSTER_ADMIN
- CLUSTER_OPERATOR_WRITER




## OpenAPI

````yaml /openapi/cloud/2023-04-10.json post /api/v1/clusters/{cluster_id}/cmek
openapi: 3.0.0
info:
  contact:
    email: support@cockroachlabs.com
    name: Cockroach Labs Support
    url: https://support.cockroachlabs.com
  description: An API for managing CockroachDB Cloud resources
  title: CockroachDB Cloud API
  version: '2023-04-10'
servers:
  - url: https://cockroachlabs.cloud
security:
  - Bearer: []
tags:
  - name: SCIM
  - name: Organizations
  - name: Clusters
  - name: SQL Users
  - name: SQL Privilege Grants
  - name: Databases
  - name: Customer-managed Encryption Keys
  - name: Client CA Certificates
  - name: Cluster SSO
  - name: Log Export
  - name: Metric Export
  - name: Audit Logs
  - name: IP Allowlists
  - name: Egress Rules
  - name: Billing
  - name: Maintenance Windows
  - name: Role Management
  - name: Service Accounts
  - name: API Keys
  - name: Folders
  - name: Version Deferral
  - name: JWT Issuers
  - name: OpenID Connect Configuration
  - name: Private Endpoint Services
  - name: PCI
  - name: Physical Cluster Replication
  - name: Backup/Restore
externalDocs:
  description: Use the CockroachDB Cloud API
  url: https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api
paths:
  /api/v1/clusters/{cluster_id}/cmek:
    post:
      tags:
        - Customer-managed Encryption Keys
      summary: Enable CMEK for a cluster
      description: >
        Can be used by the following roles assigned at the organization, folder
        or cluster scope:

        - CLUSTER_ADMIN

        - CLUSTER_OPERATOR_WRITER
      operationId: CockroachCloud_EnableCMEKSpec
      parameters:
        - name: cluster_id
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                region_specs:
                  type: array
                  items:
                    $ref: '#/components/schemas/CMEKRegionSpecification'
              example:
                region_specs:
                  - key_spec:
                      auth_principal: arn:aws:iam::account:role/role-name-with-path
                      type: AWS_KMS
                      uri: arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key
                    region: us-central1
              required:
                - region_specs
              title: CMEKClusterSpecification
      responses:
        '200':
          description: A successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CMEKClusterInfo'
        '400':
          description: Returned when a request field is invalid.
          content:
            application/json:
              schema: {}
        '401':
          description: Returned when the token bearer cannot be authenticated.
          content:
            application/json:
              schema: {}
        '403':
          description: >-
            Returned when the user does not have permission to access the
            resource.
          content:
            application/json:
              schema: {}
        '404':
          description: Returned when the resource does not exist.
          content:
            application/json:
              schema: {}
        '500':
          description: Server error
          content:
            application/json:
              schema: {}
        default:
          description: An unexpected error response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Status'
      x-codeSamples:
        - lang: curl
          source: |-
            curl --request POST \
              --url https://cockroachlabs.cloud/api/v1/clusters/{cluster_id}/cmek \
              --header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
              --json '{"region_specs":[{"key_spec":{"auth_principal":"arn:aws:iam::account:role/role-name-with-path","type":"AWS_KMS","uri":"arn:aws:kms:us-west-2:111122223333:key/id-of-kms-key"},"region":"us-central1"}]}'
components:
  schemas:
    CMEKRegionSpecification:
      description: >-
        CMEKRegionSpecification declares the customer-provided key specification
        that

        should be used in a given region.
      type: object
      properties:
        key_spec:
          $ref: '#/components/schemas/CMEKKeySpecification'
        region:
          type: string
    CMEKClusterInfo:
      description: |-
        CMEKClusterInfo contains the status of CMEK across an entire cluster,
        including within each one its regions.
      type: object
      properties:
        region_infos:
          type: array
          items:
            $ref: '#/components/schemas/CMEKRegionInfo'
        status:
          $ref: '#/components/schemas/CMEKStatus'
    Status:
      type: object
      properties:
        code:
          type: integer
          format: int32
        details:
          type: array
          items:
            $ref: '#/components/schemas/Any'
        message:
          type: string
    CMEKKeySpecification:
      description: >-
        CMEKKeySpecification contains all the details necessary to use a
        customer-provided

        encryption key.


        This involves the type/location of the key and the principal to
        authenticate as 

        when accessing it.
      type: object
      properties:
        auth_principal:
          type: string
        type:
          $ref: '#/components/schemas/CMEKKeyType'
        uri:
          type: string
    CMEKRegionInfo:
      description: >-
        CMEKRegionInfo contains the status of CMEK within a region.


        This includes current and past key specifications used within the
        region, 

        as well as the status of those specifications
      type: object
      properties:
        key_infos:
          type: array
          items:
            $ref: '#/components/schemas/CMEKKeyInfo'
        region:
          type: string
        status:
          $ref: '#/components/schemas/CMEKStatus'
    CMEKStatus:
      description: >-
        CMEKStatus describes the current status of CMEK for an entire CRDB
        cluster

        or a CMEK key within a region.

         - DISABLED: DISABLED corresponds to the state of a cluster or region-level key when
        CMEK has finished being disabled. By default, CMEK will be disabled for

        new clusters.
         - DISABLING: DISABLING corresponds to the state of a cluster or region-level key when
        CMEK is in the process of being disabled.
         - DISABLE_FAILED: DISABLE_FAILED corresponds to the state of a cluster or region-level key
        when CMEK has failed to be disabled.
         - ENABLED: ENABLED corresponds to the state of a cluster or region-level key when
        CMEK is enabled.
         - ENABLING: ENABLING corresponds to the state of a cluster or region-level key when
        CMEK is in the process of being enabled.
         - ENABLE_FAILED: ENABLE_FAILED corresponds to the state of a cluster or region-level key
        when CMEK has failed to be enabled.
         - ROTATING: ROTATING corresponds to the state of a cluster or region when the a new
        spec is in the process of being enabled while an existing spec is being

        disabled.
         - ROTATE_FAILED: ROTATE_FAILED corresponds to the state of a cluster or region if there was
        a failure to update from one CMEK spec to another.
         - REVOKED: REVOKED corresponds to the state of a cluster or region-level key when the
        customer has revoked CockroachLab's permissions for their key.
         - REVOKING: REVOKING corresponds to the state of a cluster or region-level key when
        CMEK is in the process of being revoked.
         - REVOKE_FAILED: REVOKE_FAILED corresponds to the state of a cluster or region-level key
        when CMEK has failed to be revoked.
      type: string
      enum:
        - DISABLED
        - DISABLING
        - DISABLE_FAILED
        - ENABLED
        - ENABLING
        - ENABLE_FAILED
        - ROTATING
        - ROTATE_FAILED
        - REVOKED
        - REVOKING
        - REVOKE_FAILED
    Any:
      description: >-
        `Any` contains an arbitrary serialized protocol buffer message along
        with a

        URL that describes the type of the serialized message.


        Protobuf library provides support to pack/unpack Any values in the form

        of utility functions or additional generated methods of the Any type.


        Example 1: Pack and unpack a message in C++.

            Foo foo = ...;
            Any any;
            any.PackFrom(foo);
            ...
            if (any.UnpackTo(&foo)) {
              ...
            }

        Example 2: Pack and unpack a message in Java.

            Foo foo = ...;
            Any any = Any.pack(foo);
            ...
            if (any.is(Foo.class)) {
              foo = any.unpack(Foo.class);
            }
            // or ...
            if (any.isSameTypeAs(Foo.getDefaultInstance())) {
              foo = any.unpack(Foo.getDefaultInstance());
            }

         Example 3: Pack and unpack a message in Python.

            foo = Foo(...)
            any = Any()
            any.Pack(foo)
            ...
            if any.Is(Foo.DESCRIPTOR):
              any.Unpack(foo)
              ...

         Example 4: Pack and unpack a message in Go

             foo := &pb.Foo{...}
             any, err := anypb.New(foo)
             if err != nil {
               ...
             }
             ...
             foo := &pb.Foo{}
             if err := any.UnmarshalTo(foo); err != nil {
               ...
             }

        The pack methods provided by protobuf library will by default use

        'type.googleapis.com/full.type.name' as the type URL and the unpack

        methods only use the fully qualified type name after the last '/'

        in the type URL, for example "foo.bar.com/x/y.z" will yield type

        name "y.z".


        JSON

        ====

        The JSON representation of an `Any` value uses the regular

        representation of the deserialized, embedded message, with an

        additional field `@type` which contains the type URL. Example:

            package google.profile;
            message Person {
              string first_name = 1;
              string last_name = 2;
            }

            {
              "@type": "type.googleapis.com/google.profile.Person",
              "firstName": <string>,
              "lastName": <string>
            }

        If the embedded message type is well-known and has a custom JSON

        representation, that representation will be embedded adding a field

        `value` which holds the custom JSON in addition to the `@type`

        field. Example (for message [google.protobuf.Duration][]):

            {
              "@type": "type.googleapis.com/google.protobuf.Duration",
              "value": "1.212s"
            }
      type: object
      properties:
        '@type':
          description: >-
            A URL/resource name that uniquely identifies the type of the
            serialized

            protocol buffer message. This string must contain at least

            one "/" character. The last segment of the URL's path must represent

            the fully qualified name of the type (as in

            `path/google.protobuf.Duration`). The name should be in a canonical
            form

            (e.g., leading "." is not accepted).


            In practice, teams usually precompile into the binary all types that
            they

            expect it to use in the context of Any. However, for URLs which use
            the

            scheme `http`, `https`, or no scheme, one can optionally set up a
            type

            server that maps type URLs to message definitions as follows:


            * If no scheme is provided, `https` is assumed.

            * An HTTP GET on the URL must yield a [google.protobuf.Type][]
              value in binary format, or produce an error.
            * Applications are allowed to cache lookup results based on the
              URL, or have them precompiled into a binary to avoid any
              lookup. Therefore, binary compatibility needs to be preserved
              on changes to types. (Use versioned type names to manage
              breaking changes.)

            Note: this functionality is not currently available in the official

            protobuf release, and it is not used for type URLs beginning with

            type.googleapis.com. As of May 2023, there are no widely used type
            server

            implementations and no plans to implement one.


            Schemes other than `http`, `https` (or the empty scheme) might be

            used with implementation specific semantics.
          type: string
      additionalProperties: {}
    CMEKKeyType:
      type: string
      enum:
        - AWS_KMS
        - GCP_CLOUD_KMS
        - NULL_KMS
      title: CMEKKeyType enumerates types of customer-managed keys
    CMEKKeyInfo:
      description: |-
        CMEKKeyInfo contains the status of a customer-provided key alongside the
        specification.
      type: object
      properties:
        created_at:
          type: string
          format: date-time
        spec:
          $ref: '#/components/schemas/CMEKKeySpecification'
        status:
          $ref: '#/components/schemas/CMEKStatus'
        updated_at:
          type: string
          format: date-time
        user_message:
          type: string
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

````