Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to get your MACsec keys for
MACsec for Cloud Interconnect.
MACsec for Cloud Interconnect generates GCM-AES-256 connectivity
association key (CAK) and connectivity association key name (CKN) values. You
use the values that MACsec for Cloud Interconnect generates when you
configure your on-premises router. You can get the values at any time after
configuring pre-shared keys on your Cloud Interconnect connection.
If you choose to use custom roles, ensure that your custom role for
administrating MACsec for Cloud Interconnect includes the
compute.interconnects.getMacsecConfig IAM permission.
Get pre-shared keys
Select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical
connections tab.
On the MACsec tab, go to the Pre-shared keys section and find the
name of the pre-shared key, and then click View. A window displays the
connectivity association key (CAK) and the connectivity association
key name (CKN). Click the Copy button to copy each value to your
computer's clipboard.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Get MACsec keys\n\nThis page describes how to get your MACsec keys for\nMACsec for Cloud Interconnect.\n\nMACsec for Cloud Interconnect generates GCM-AES-256 connectivity\nassociation key (CAK) and connectivity association key name (CKN) values. You\nuse the values that MACsec for Cloud Interconnect generates when you\nconfigure your on-premises router. You can get the values at any time after\nconfiguring pre-shared keys on your Cloud Interconnect connection.\n\nFor more information, see\n[Configure your on-premises router](/network-connectivity/docs/interconnect/how-to/macsec/set-up-macsec#configure-your-on-premises-router).\n\nRequired roles\n--------------\n\n\nTo get the permissions that\nyou need to retrieve MACsec keys,\n\nask your administrator to grant you the\n\n\n[Compute Network Admin](/iam/docs/roles-permissions/compute#compute.networkAdmin) (`roles/compute.networkAdmin`)\nIAM role on your project.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nIf you choose to use custom roles, ensure that your custom role for\nadministrating MACsec for Cloud Interconnect includes the\n`compute.interconnects.getMacsecConfig` IAM permission.\n\nGet pre-shared keys\n-------------------\n\nSelect one of the following options: \n\n### Console\n\n1. In the Google Cloud console, go to the Cloud Interconnect **Physical\n connections** tab.\n\n [Go to Physical connections](https://console.cloud.google.com/hybrid/interconnects/list?tab=interconnects)\n2. Select the connection that you want to view.\n\n3. On the **MACsec** tab, go to the **Pre-shared keys** section and find the\n name of the pre-shared key, and then click **View** . A window displays the\n connectivity association key (**CAK** ) and the connectivity association\n key name (**CKN** ). Click the **Copy** button to copy each value to your\n computer's clipboard.\n\n4. Click **Close**.\n\n### gcloud\n\nRun the following command: \n\n gcloud compute interconnects macsec get-config \u003cvar translate=\"no\"\u003eINTERCONNECT_CONNECTION_NAME\u003c/var\u003e\n\nReplace \u003cvar translate=\"no\"\u003eINTERCONNECT_CONNECTION_NAME\u003c/var\u003e with the name of your\nCloud Interconnect connection.\n\nThe output is similar to the following: \n\n preSharedKeys:\n - cak: 0123456789abcdef...0123456789abcdef\n ckn: 0101016789abcdef...0123456789abcdef\n name: key1\n startTime: 2023-07-01T21:00:01.000Z\n\nWhat's next?\n------------\n\n- [Rotate MACsec\n keys](/network-connectivity/docs/interconnect/how-to/macsec/rotate-macsec-keys)\n- [View MACsec status](/network-connectivity/docs/interconnect/how-to/macsec/view-macsec-status)\n- [Troubleshoot MACsec](/network-connectivity/docs/interconnect/how-to/macsec/troubleshoot-macsec)"]]
