Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to troubleshoot customer-managed encryption key
(CMEK) and data residency organization policy violations in
Spanner. To help you monitor your database fleet,
Database Center detects CMEK and data residency organization
policy violations using the following health check:
An Encryption org policy not satisfied violation indicates that a CMEK
organization policy on a Spanner database isn't satisfied.
A Location org policy not satisfied violation indicates that a database is
in a region that's not allowed by an organization policy. This can happen when
a database was created in an allowed region, but after the database was
created an organization policy disallowed the region.
If you see this violations in Database Center, use the
topic in this document to fix the issue. To learn more about
Database Center, see Database Center
overview.
Troubleshoot CMEK violations
If an Encryption org policy not satisfied violation on a
Spanner database occurs in Database Center, you
need to create a new database from a backup of the database on which the
violation occurred. To learn more about CMEK in Spanner, see
CMEK overview. To learn more about CMEK in Cloud Key Management Service,
see Customer-managed encryption keys. To create a new database
from a backup, follow these steps:
If you don't have a key ring, create one using the steps in
Create a key ring.
If you don't have a valid customer managed key, create one using the steps
in Create a key.
Create a backup of the database with the policy violation. For more
information, see
Create a backup. You
can use an encryption key when you create the backup. If you don't, then you can
specify an encryption key in the next step.
Restore the backup using the steps in Restore from a
backup. Choose one of the following when
you create your restored database:
If you used a CMEK key when you created the backup, then choose Use
existing encryption.
If you didn't encrypt the backup, then choose Cloud KMS key.
Troubleshoot data residency violations
If a Location org policy not satisfied violation on a Spanner
database occurs in Database Center, then you need to move the
database to an instance that's in an allowed region. For more information about
allowed regions, see
Resource locations.
To move a database, follow these steps:
Make sure you have an available instance in an allowed region. To see a list
of available instance configurations, run the following Google Cloud CLI
command:
To prevent a database from being created in a region, add the region to the
denied_values list when you set the organization policy for the database. For
more information, see
Set the organization policy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["This document describes how to troubleshoot customer-managed encryption key\n(CMEK) and data residency organization policy violations in\nSpanner. To help you monitor your database fleet,\nDatabase Center detects CMEK and data residency organization\npolicy violations using the following health check:\n\n- An *Encryption org policy not satisfied* violation indicates that a CMEK\n organization policy on a Spanner database isn't satisfied.\n\n- A *Location org policy not satisfied* violation indicates that a database is\n in a region that's not allowed by an organization policy. This can happen when\n a database was created in an allowed region, but after the database was\n created an organization policy disallowed the region.\n\nIf you see this violations in Database Center, use the\ntopic in this document to fix the issue. To learn more about\nDatabase Center, see [Database Center\noverview](/database-center/docs/overview).\n\nTroubleshoot CMEK violations\n\nIf an *Encryption org policy not satisfied* violation on a\nSpanner database occurs in Database Center, you\nneed to create a new database from a backup of the database on which the\nviolation occurred. To learn more about CMEK in Spanner, see\n[CMEK overview](/spanner/docs/cmek). To learn more about CMEK in Cloud Key Management Service,\nsee [Customer-managed encryption keys](/kms/docs/cmek). To create a new database\nfrom a backup, follow these steps:\n\n1. If you don't have a key ring, create one using the steps in\n [Create a key ring](/kms/docs/create-key-ring).\n\n2. If you don't have a valid customer managed key, create one using the steps\n in [Create a key](/kms/docs/create-key).\n\n3. Create a backup of the database with the policy violation. For more\n information, see\n [Create a backup](/spanner/docs/backup/create-backups#create-backup). You\n can use an encryption key when you create the backup. If you don't, then you can\n specify an encryption key in the next step.\n\n4. Restore the backup using the steps in [Restore from a\n backup](/spanner/docs/use-cmek#restore). Choose one of the following when\n you create your restored database:\n\n - If you used a CMEK key when you created the backup, then choose **Use\n existing encryption**.\n\n - If you didn't encrypt the backup, then choose **Cloud KMS key**.\n\nTroubleshoot data residency violations\n\nIf a *Location org policy not satisfied* violation on a Spanner\ndatabase occurs in Database Center, then you need to move the\ndatabase to an instance that's in an allowed region. For more information about\nallowed regions, see\n[Resource locations](/resource-manager/docs/organization-policy/defining-locations).\n\nTo move a database, follow these steps:\n\n1. Make sure you have an available instance in an allowed region. To see a list\n of available instance configurations, run the following Google Cloud CLI\n command:\n\n gcloud spanner instance-configs list\n\n If you need to create a new instance, see\n [Create a custom instance configuration](/spanner/docs/create-manage-configurations).\n2. Use the\n [`gcloud spanner instances move`](/sdk/gcloud/reference/spanner/instances/move)\n command to move the database to the new instance.\n\nTo prevent a database from being created in a region, add the region to the\n`denied_values` list when you set the organization policy for the database. For\nmore information, see\n[Set the organization policy](/resource-manager/docs/organization-policy/defining-locations#setting_the_organization_policy)."]]
