This document describes how to troubleshoot customer-managed encryption key (CMEK) organization policy violations in Spanner. To help you monitor your database fleet, Database Center detects CMEK organization policy violations using the following health check:
- An Encryption org policy not satisfied violation indicates that a CMEK organization policy on a Spanner database isn't satisfied.
If you see this violations in Database Center, use the topic in this document to fix the issue. To learn more about Database Center, see Database Center overview.
Troubleshoot CMEK violations
If an Encryption org policy not satisfied violation on a Spanner database occurs in Database Center, you need to create a new database from a backup of the database on which the violation occurred. To learn more about CMEK in Spanner, see CMEK overview. To learn more about CMEK in Cloud Key Management Service, see Customer-managed encryption keys. To create a new database from a backup, follow these steps:
If you don't have a key ring, create one using the steps in Create a key ring.
If you don't have a valid customer managed key, create one using the steps in Create a key.
Create a backup of the database with the policy violation. For more information, see Create a backup. You can use an encryption key when you create the backup. If you don't, then you can specify an encryption key in the next step.
Restore the backup using the steps in Restore from a backup. Choose one of the following when you create your restored database:
If you used a CMEK key when you created the backup, then choose Use existing encryption.
If you didn't encrypt the backup, then choose Cloud KMS key.