Updates the Log Router CMEK settings for the given resource.
Note: CMEK for the Log Router can currently only be configured for Google Cloud organizations. Once configured, it applies to all projects and folders in the Google Cloud organization.
Note: CMEK for the Log Router can currently only be configured for Google Cloud organizations. Once configured, it applies to all projects and folders in the Google Cloud organization.
Authorization requires the following IAM permission on the specified resource name:
Optional. Field mask identifying which fields from cmekSettings should be updated. A field will be overwritten if and only if it is in the update mask. Output only fields cannot be updated.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-21 UTC."],[],[],null,["# Method: organizations.updateCmekSettings\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Query parameters](#body.QUERY_PARAMETERS)\n- [Request body](#body.request_body)\n- [Response body](#body.response_body)\n- [Authorization scopes](#body.aspect)\n- [Try it!](#try-it)\n\nUpdates the Log Router CMEK settings for the given resource.\n\nNote: CMEK for the Log Router can currently only be configured for Google Cloud organizations. Once configured, it applies to all projects and folders in the Google Cloud organization.\n\n[v2.updateCmekSettings](/logging/docs/reference/v2/rest/v2/TopLevel/updateCmekSettings#google.logging.v2.ConfigServiceV2.UpdateCmekSettings) fails when any of the following are true:\n\n- The value of `kmsKeyName` is invalid.\n- The associated service account doesn't have the required `roles/cloudkms.cryptoKeyEncrypterDecrypter` role assigned for the key.\n- Access to the key is disabled.\n\nSee [Enabling CMEK for Log Router](https://cloud.google.com/logging/docs/routing/managed-encryption) for more information.\n\n### HTTP request\n\n`PATCH https://logging.googleapis.com/v2/{name=organizations/*}/cmekSettings`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Path parameters\n\n### Query parameters\n\n### Request body\n\nThe request body contains an instance of [CmekSettings](/logging/docs/reference/v2/rest/v2/billingAccounts.locations.buckets#LogBucket.CmekSettings).\n\n### Response body\n\nIf successful, the response body contains an instance of [CmekSettings](/logging/docs/reference/v2/rest/v2/billingAccounts.locations.buckets#LogBucket.CmekSettings).\n\n### Authorization scopes\n\nRequires one of the following OAuth scopes:\n\n- `https://www.googleapis.com/auth/logging.admin`\n- `\n https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp)."]]
