This page describes how to get your MACsec keys for MACsec for Cloud Interconnect.
MACsec for Cloud Interconnect generates GCM-AES-256 connectivity association key (CAK) and connectivity association key name (CKN) values. You use the values that MACsec for Cloud Interconnect generates when you configure your on-premises router. You can get the values at any time after configuring pre-shared keys on your Cloud Interconnect connection.
For more information, see Configure your on-premises router.
Required roles
To get the permissions that you need to retrieve MACsec keys,
ask your administrator to grant you the
Compute Network Admin (roles/compute.networkAdmin) IAM role on your project.
For more information about granting roles, see Manage access.
You might also be able to get the required permissions through custom roles or other predefined roles.
If you choose to use custom roles, ensure that your custom role for
administrating MACsec for Cloud Interconnect includes the
compute.interconnects.getMacsecConfig IAM permission.
Get pre-shared keys
Select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the connection that you want to view.
On the MACsec tab, go to the Pre-shared keys section and find the name of the pre-shared key, and then click View. A window displays the connectivity association key (CAK) and the connectivity association key name (CKN). Click the Copy button to copy each value to your computer's clipboard.
Click Close.
gcloud
Run the following command:
gcloud compute interconnects macsec get-config INTERCONNECT_CONNECTION_NAME
Replace INTERCONNECT_CONNECTION_NAME with the name of your
Cloud Interconnect connection.
The output is similar to the following:
preSharedKeys:
- cak: 0123456789abcdef...0123456789abcdef
ckn: 0101016789abcdef...0123456789abcdef
name: key1
startTime: 2023-07-01T21:00:01.000Z