MongoDB Atlas encryption at rest using GCP KMS

Hi all,

Did anyone managed to succeed and configure MongoDB Atlas encryption at rest using GCP KMS?

Below is my configuration for the mongodbatlas_encryption_at_rest resource, but it actually always throws the following exception:

│ Error: error creating Encryption At Rest: ************************
│   with module.mongodb.mongodbatlas_encryption_at_rest.encatrest,
│   on modules/mongodb/ line 4, in resource "mongodbatlas_encryption_at_rest" "encatrest":
│    4: resource "mongodbatlas_encryption_at_rest" "encatrest" {
│ PATCH: HTTP 400 Bad Request (Error code:
│ "MISSING_ENCRYPTION_AT_REST_PROVIDER") Detail: At least one Encryption at Rest provider must be specified. Reason: Bad Request. Params: []

Here’s my configuration:

resource "mongodbatlas_encryption_at_rest" "encatrest" {
  project_id =

  google_cloud_kms_config {
    enabled                 = true
    key_version_resource_id = google_kms_crypto_key.mongodb_atlas_encryption_at_rest.primary[0].name
    service_account_key     = base64decode(google_service_account_key.mongodb_atlas_encryption_at_rest.private_key)

If I output key_version_resource_id and service_account_key and use these values to manually configure encryption at rest at the mongodb atlas web console, it enables it and configures it without any issues or exceptions. I also tried to import it to my terraform state after manual enablement and then apply this same configuration - it detects a change in order to add service_account_key and it in the end applies the change.

Anyone who might have this same issue or any idea how to overcome it?


We faced a similar issues. There are two suggestion that resolved the error.

  1. use MongoDB Atlas Terraform provider : version 1.15.3 or higher

terraform {
required_providers {
mongodbatlas = {
source = “mongodb/mongodbatlas”
version = “1.15.3”

  1. Service account key : Use HEREDOC String instead of String.

google_cloud_kms_config {
enabled = true
service_account_key = <<EOF
“type”: “service_account”,
“project_id”: “”,
“private_key_id”: “”,
“private_key”: “”,
“client_email”: “”,
“client_id”: “”,
“auth_uri”: “Sign in - Google Accounts”,
“token_uri”: “”,
“auth_provider_x509_cert_url”: “”,
“client_x509_cert_url”: “”,
“universe_domain”: “
key_version_resource_id = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”