Loading TOC...


   $config as element(configuration),
   $group-id as xs:unsignedLong,
   $key as xs:string
) as element(configuration)


This function sets the KMS key that is used by server side encryption for data at rest on the simple storage service. This key will only be used when the server side encryption method is "aws:kms".

config A configuration specification, typically as returned from one of the Admin module functions.
group-id The ID of the group. Typically, this is the result of an admin:group-get-id call.
key A string specifying the key that will be used by "aws:kms" server side encryption. This key can be the ID or ARN of the encryption key you want to use. You can set this parameter to empty to use the default encryption key, typically named aws/ebs in the S3 bucket region. If the server side encryption method is not "aws:kms", this key will be ignored.

Required Privileges

This operation requires at least one of the following privileges:



Usage Notes

An encryption key will not be transferred out of the region where it is created. Therefore, you cannot use an encryption key that is in a different region from the S3 bucket.


  xquery version "1.0-ml";

  import module namespace admin = "http://marklogic.com/xdmp/admin"
		  at "/MarkLogic/admin.xqy";

  let $config := admin:get-configuration()
  let $groupid := admin:group-get-id($config, "Default")
  return admin:group-set-s3-server-side-encryption-kms-key($config, $groupid, "f4cefc8d-f64d-4fd1-8e93-064db9c26968")

  (: returns the new configuration element -- use admin:save-configuration
     to save the changes to the configuration or pass the configuration
     to other Admin API functions to make other changes.  :)

Stack Overflow iconStack Overflow: Get the most useful answers to questions from the MarkLogic community, or ask your own question.