This feature is in public preview.
Set up CMEK using AWS KMS
Before you begin
The following steps assume you have:- Access to the AWS console.
- A Pinecone Enterprise plan.
1. Create a role
In the AWS console, create a role that Pinecone can use to access the AWS Key Management System (KMS) key. You can either grant Pinecone access to a key in your account, or if your customers provide their own keys, you can grant access to keys that are outside of your account.- Open the Amazon Identity and Access Management (IAM) console.
- In the navigation pane, click Roles.
- Click Create role.
- In the Trusted entity type section, select Custom trust policy.
-
In the Custom trust policy section, enter one of the following JSON snippets.
Pick a snippet based on whether you want to allow Pinecone to assume a role from all regions or from explicit regions. Add an optional external ID for additional security. If you use an external ID, you must provide it to Pinecone when adding a CMEK key.
Explicit regions + external ID
JSONExplicit regions + no external ID
JSONAll regions + external ID
JSONReplaceXXXXXXXXXXXX
with Pinecone’s AWS account number, which can be found by going to Manage > CMEK in the Pinecone console and clicking Add CMEK. - Click Next.
- Keep the default permissions as is and click Next.
- Enter a Role name and click Create role.
-
Copy the Role ARN (e.g.,
arn:aws:iam::XXXXXX:role/YYYYYY
). This will be used to create a CMEK-enabled project.
2. Create an AWS KMS key
In the AWS console, create the KMS key that Pinecone will use to encrypt your data:- Open the Amazon Key Management Service (KMS) console.
- In the navigation pane, click Customer managed keys.
- Click Create key.
- In the Key type section, select Symmetric.
- In the Key usage section, select Encrypt and decrypt.
- Under Advanced options > Key material origin, select KMS.
-
In the Regionality section, select Single-Region key.
You can create a multi-regional key to safeguard against data loss in case of regional failure. However, Pinecone only accepts one Key ARN per project. If you set a multi-regional key and need to change the Key ARN to switch region, please contact Support for help.
- Click Next.
- Enter an Alias and click Next.
- Keep the default administrators as is and click Next.
- Select the role you created from the Key users list and click Next.
- Click Finish.
-
Copy the Key ARN (e.g.,
arn:aws:kms:us-east-1:XXXXXXX:key/YYYYYYY
). This will be used to create a CMEK-enabled project.
3. Create a CMEK-enabled project
Once your role and key is configured, you can create a CMEK-enabled project using the Pinecone console:- Go to Settings > Organization settings > Projects.
- Click +Create project.
- Enter a Name.
- Select Encrypt with Customer Managed Encryption Key.
- Click Create project.
-
Copy and save the generated API key in a secure place for future use.
You will not be able to see the API key again after you close the dialog.
- Click Close.
Add a key
To start encrypting your data with a customer-managed key, you need to add the key to the CMEK-enabled project using the Pinecone console:- Go to Manage > CMEK for the CMEK-enabled project.
-
Click Add CMEK.
You can only add one key per project, and you cannot change the key in Pinecone once it is set.
- Enter a Key name.
- Enter the Role ARN for the role you created.
- Enter a Key ARN for the key you created.
- If you created a role with an external ID, enter the External ID. If not, leave this field blank.
- Click Create key.
Delete a key
Before a key can be deleted from a project, all indexes in the project must be deleted. Then, you can delete the key using the Pinecone console:- Go to the Manage > CMEK tab for the project in which the key was created.
- For the key you want to delete, click the ellipsis (..) menu > Delete.
- Enter the key name to confirm deletion.
- Click Delete key.
Limitations
- CMEK can be enabled for serverless indexes in AWS regions only.
- Backups are unavailable for indexes created in a CMEK-enabled project.
- You cannot change a key once it is set.
- You can add only one key per project.