Cloud providers offer the encryption option where customers can provide their own key making it encrypted without possible way for the cloud provider to have access to data in clear. How to enforce this hypothesis? as fas as I can understand once the Key is used at the cloud provider, then all the data are in clear in the Database so becomes accessible from the infrastructure.
Customers don't provide keys. They encrypt locally, and then upload stuff. The provider can't decrypt anything, that way.