Adk Deploy Guide

1---2name: adk-deploy-guide3description: >4  MUST READ before deploying any ADK agent.5  ADK deployment guide — Agent Engine, Cloud Run, GKE, CI/CD pipelines,6  secrets, observability, and production workflows.7  Use when deploying agents to Google Cloud or troubleshooting deployments.8  Do NOT use for API code patterns (use adk-cheatsheet), evaluation9  (use adk-eval-guide), or project scaffolding (use adk-scaffold).10metadata:11  license: Apache-2.012  author: Google13---14 15# ADK Deployment Guide16 17> **Scaffolded project?** Use the `make` commands throughout this guide — they wrap Terraform, Docker, and deployment into a tested pipeline.18>19> **No scaffold?** See [Quick Deploy](#quick-deploy-adk-cli) below, or the [ADK deployment docs](https://adk.dev/deploy/).20> For production infrastructure, scaffold with `/adk-scaffold`.21 22### Reference Files23 24For deeper details, consult these reference files in `references/`:25 26- **`cloud-run.md`** — Scaling defaults, Dockerfile, session types, networking27- **`agent-engine.md`** — deploy.py CLI, AdkApp pattern, Terraform resource, deployment metadata, CI/CD differences28- **`gke.md`** — GKE Autopilot cluster, Terraform-managed Kubernetes resources, Workload Identity, session types, networking29- **`terraform-patterns.md`** — Custom infrastructure, IAM, state management, importing resources30- **`event-driven.md`** — Pub/Sub, Eventarc, BigQuery Remote Function triggers via custom `fast_api_app.py` endpoints31 32> **Observability:** See the **adk-observability-guide** skill for Cloud Trace, prompt-response logging, BigQuery Analytics, and third-party integrations.33 34---35 36## Deployment Target Decision Matrix37 38Choose the right deployment target based on your requirements:39 40| Criteria | Agent Engine | Cloud Run | GKE |41|----------|-------------|-----------|-----|42| **Languages** | Python | Python | Python (+ others via custom containers) |43| **Scaling** | Managed auto-scaling (configurable min/max, concurrency) | Fully configurable (min/max instances, concurrency, CPU allocation) | Full Kubernetes scaling (HPA, VPA, node auto-provisioning) |44| **Networking** | VPC-SC and PSC supported | Full VPC support, direct VPC egress, IAP, ingress rules | Full Kubernetes networking|45| **Session state** | Native `VertexAiSessionService` (persistent, managed) | In-memory (dev), Cloud SQL, or Agent Engine session backend | In-memory (dev), Cloud SQL, or Agent Engine session backend |46| **Batch/event processing** | Not supported | `/invoke` endpoint for Pub/Sub, Eventarc, BigQuery | Custom (Kubernetes Jobs, Pub/Sub) |47| **Cost model** | vCPU-hours + memory-hours (not billed when idle) | Per-instance-second + min instance costs | Node pool costs (always-on or auto-provisioned) |48| **Setup complexity** | Lower (managed, purpose-built for agents) | Medium (Dockerfile, Terraform, networking) | Higher (Kubernetes expertise required) |49| **Best for** | Managed infrastructure, minimal ops | Custom infra, event-driven workloads | Full Kubernetes control |50 51**Ask the user** which deployment target fits their needs. Each is a valid production choice with different trade-offs.52 53---54 55## Quick Deploy (ADK CLI)56 57For projects without Agent Starter Pack scaffolding. No Makefile, Terraform, or Dockerfile required.58 59```bash60# Cloud Run61adk deploy cloud_run --project=PROJECT --region=REGION path/to/agent/62 63# Agent Engine64adk deploy agent_engine --project=PROJECT --region=REGION path/to/agent/65 66# GKE (requires existing cluster)67adk deploy gke --project=PROJECT --cluster_name=CLUSTER --region=REGION path/to/agent/68```69 70All commands support `--with_ui` to deploy the ADK dev UI. Cloud Run also accepts extra `gcloud` flags after `--` (e.g., `-- --no-allow-unauthenticated`).71 72See `adk deploy --help` or the [ADK deployment docs](https://adk.dev/deploy/) for full flag reference.73 74> For CI/CD, observability, or production infrastructure, scaffold with `/adk-scaffold` and use the sections below.75 76---77 78## Dev Environment Setup & Deploy (Scaffolded Projects)79 80### Setting Up Dev Infrastructure (Optional)81 82`make setup-dev-env` runs `terraform apply` in `deployment/terraform/dev/`. This provisions supporting infrastructure:83- Service accounts (`app_sa` for the agent, used for runtime permissions)84- Artifact Registry repository (for container images)85- IAM bindings (granting the app SA necessary roles)86- Telemetry resources (Cloud Logging bucket, BigQuery dataset)87- Any custom resources defined in `deployment/terraform/dev/`88 89This step is **optional** — `make deploy` works without it (Cloud Run creates the service on the fly via `gcloud run deploy --source .`). However, running it gives you proper service accounts, observability, and IAM setup.90 91```bash92make setup-dev-env93```94 95> **Note:** `make deploy` doesn't automatically use the Terraform-created `app_sa`. Pass `--service-account` explicitly or update the Makefile.96 97### Deploying98 991. **Notify the human**: "Eval scores meet thresholds and tests pass. Ready to deploy to dev?"1002. **Wait for explicit approval**1013. Once approved: `make deploy`102 103**IMPORTANT**: Never run `make deploy` without explicit human approval.104 105---106 107## Production Deployment — CI/CD Pipeline108 109**Best for:** Production applications, teams requiring staging → production promotion.110 111**Prerequisites:**1121. Project must NOT be in a gitignored folder1132. User must provide staging and production GCP project IDs1143. GitHub repository name and owner115 116**Steps:**1171. If prototype, first add Terraform/CI-CD files using the Agent Starter Pack CLI (see `/adk-scaffold` for full options):118   ```bash119   uvx agent-starter-pack enhance . --cicd-runner github_actions -y -s120   ```121 1222. Ensure you're logged in to GitHub CLI:123   ```bash124   gh auth login  # (skip if already authenticated)125   ```126 1273. Run setup-cicd:128   ```bash129   uvx agent-starter-pack setup-cicd \130     --staging-project YOUR_STAGING_PROJECT \131     --prod-project YOUR_PROD_PROJECT \132     --repository-name YOUR_REPO_NAME \133     --repository-owner YOUR_GITHUB_USERNAME \134     --auto-approve \135     --create-repository136   ```137 1384. Push code to trigger deployments139 140#### Key `setup-cicd` Flags141 142| Flag | Description |143|------|-------------|144| `--staging-project` | GCP project ID for staging environment |145| `--prod-project` | GCP project ID for production environment |146| `--repository-name` / `--repository-owner` | GitHub repository name and owner |147| `--auto-approve` | Skip Terraform plan confirmation prompts |148| `--create-repository` | Create the GitHub repo if it doesn't exist |149| `--cicd-project` | Separate GCP project for CI/CD infrastructure. Defaults to prod project |150| `--local-state` | Store Terraform state locally instead of in GCS (see `references/terraform-patterns.md`) |151 152Run `uvx agent-starter-pack setup-cicd --help` for the full flag reference (Cloud Build options, dev project, region, etc.).153 154### Choosing a CI/CD Runner155 156| Runner | Pros | Cons |157|--------|------|------|158| **github_actions** (Default) | No PAT needed, uses `gh auth`, WIF-based, fully automated | Requires GitHub CLI authentication |159| **google_cloud_build** | Native GCP integration | Requires interactive browser authorization (or PAT + app installation ID for programmatic mode) |160 161### How Authentication Works (WIF)162 163Both runners use **Workload Identity Federation (WIF)** — GitHub/Cloud Build OIDC tokens are trusted by a GCP Workload Identity Pool, which grants `cicd_runner_sa` impersonation. No long-lived service account keys needed. Terraform in `setup-cicd` creates the pool, provider, and SA bindings automatically. If auth fails, re-run `terraform apply` in the CI/CD Terraform directory.164 165### CI/CD Pipeline Stages166 167The pipeline has three stages:168 1691. **CI (PR checks)** — Triggered on pull request. Runs unit and integration tests.1702. **Staging CD** — Triggered on merge to `main`. Builds container, deploys to staging, runs load tests.171   > **Path filter:** Staging CD uses `paths: ['app/**']` — it only triggers when files under `app/` change. The first push after `setup-cicd` won't trigger staging CD unless you modify something in `app/`. If nothing happens after pushing, this is why.1723. **Production CD** — Triggered after successful staging deploy via `workflow_run`. Might require **manual approval** before deploying to production.173   > **Approving:** Go to GitHub Actions → the production workflow run → click "Review deployments" → approve the pending `production` environment. This is GitHub's environment protection rules, not a custom mechanism.174 175**IMPORTANT**: `setup-cicd` creates infrastructure but doesn't deploy automatically. Terraform configures all required GitHub secrets and variables (WIF credentials, project IDs, service accounts). Push code to trigger the pipeline:176 177```bash178git add . && git commit -m "Initial agent implementation"179git push origin main180```181 182To approve production deployment:183 184```bash185# GitHub Actions: Approve via repository Actions tab (environment protection rules)186 187# Cloud Build: Find pending build and approve188gcloud builds list --project=PROD_PROJECT --region=REGION --filter="status=PENDING"189gcloud builds approve BUILD_ID --project=PROD_PROJECT190```191 192---193 194## Cloud Run Specifics195 196For detailed infrastructure configuration (scaling defaults, Dockerfile, FastAPI endpoints, session types, networking), see `references/cloud-run.md`. For ADK docs on Cloud Run deployment, fetch `https://adk.dev/deploy/cloud-run/index.md`.197 198---199 200## Agent Engine Specifics201 202Agent Engine is a managed Vertex AI service for deploying Python ADK agents. Uses source-based deployment (no Dockerfile) via `deploy.py` and the `AdkApp` class.203 204> **No `gcloud` CLI exists for Agent Engine.** Deploy via `deploy.py` or `adk deploy agent_engine`. Query via the Python `vertexai.Client` SDK.205 206Deployments can take 5-10 minutes. If `make deploy` times out, check if the engine was created and manually populate `deployment_metadata.json` with the engine resource ID (see reference for details).207 208For detailed infrastructure configuration (deploy.py flags, AdkApp pattern, Terraform resource, deployment metadata, session/artifact services, CI/CD differences), see `references/agent-engine.md`. For ADK docs on Agent Engine deployment, fetch `https://adk.dev/deploy/agent-engine/index.md`.209 210---211 212## GKE Specifics213 214For detailed infrastructure configuration (Terraform-managed Kubernetes resources, Workload Identity, session types, networking), see `references/gke.md`. For ADK docs on GKE deployment, fetch `https://adk.dev/deploy/gke/index.md`.215 216---217 218## Service Account Architecture219 220Scaffolded projects use two service accounts:221 222- **`app_sa`** (per environment) — Runtime identity for the deployed agent. Roles defined in `deployment/terraform/iam.tf`.223- **`cicd_runner_sa`** (CI/CD project) — CI/CD pipeline identity (GitHub Actions / Cloud Build). Lives in the CI/CD project (defaults to prod project), needs permissions in **both** staging and prod projects.224 225Check `deployment/terraform/iam.tf` for exact role bindings. Cross-project permissions (Cloud Run service agents, artifact registry access) are also configured there.226 227**Common 403 errors:**228- "Permission denied on Cloud Run" → `cicd_runner_sa` missing deployment role in the target project229- "Cannot act as service account" → Missing `iam.serviceAccountUser` binding on `app_sa`230- "Secret access denied" → `app_sa` missing `secretmanager.secretAccessor`231- "Artifact Registry read denied" → Cloud Run service agent missing read access in CI/CD project232 233---234 235## Secret Manager (for API Credentials)236 237Instead of passing sensitive keys as environment variables, use GCP Secret Manager.238 239```bash240# Create a secret241echo -n "YOUR_API_KEY" | gcloud secrets create MY_SECRET_NAME --data-file=-242 243# Update an existing secret244echo -n "NEW_API_KEY" | gcloud secrets versions add MY_SECRET_NAME --data-file=-245```246 247**Grant access:** For Cloud Run, grant `secretmanager.secretAccessor` to `app_sa`. For Agent Engine, grant it to the platform-managed SA (`service-PROJECT_NUMBER@gcp-sa-aiplatform-re.iam.gserviceaccount.com`). For GKE, grant `secretmanager.secretAccessor` to `app_sa`. Access secrets via Kubernetes Secrets or directly via the Secret Manager API with Workload Identity.248 249**Pass secrets at deploy time (Agent Engine):**250```bash251make deploy SECRETS="API_KEY=my-api-key,DB_PASS=db-password:2"252```253 254Format: `ENV_VAR=SECRET_ID` or `ENV_VAR=SECRET_ID:VERSION` (defaults to latest). Access in code via `os.environ.get("API_KEY")`.255 256---257 258## Observability259 260See the **adk-observability-guide** skill for observability configuration (Cloud Trace, prompt-response logging, BigQuery Analytics, third-party integrations).261 262---263 264## Testing Your Deployed Agent265 266### Agent Engine Deployment267 268**Option 1: Testing Notebook**269```bash270jupyter notebook notebooks/adk_app_testing.ipynb271```272 273**Option 2: Python Script**274```python275import json276import vertexai277 278with open("deployment_metadata.json") as f:279    engine_id = json.load(f)["remote_agent_engine_id"]280 281client = vertexai.Client(location="us-central1")282agent = client.agent_engines.get(name=engine_id)283 284async for event in agent.async_stream_query(message="Hello!", user_id="test"):285    print(event)286```287 288**Option 3: Playground**289```bash290make playground291```292 293### Cloud Run Deployment294 295> **Auth required by default.** Cloud Run deploys with `--no-allow-unauthenticated`, so all requests need an `Authorization: Bearer` header with an identity token. Getting a 403? You're likely missing this header. To allow public access, redeploy with `--allow-unauthenticated`.296 297```bash298SERVICE_URL="https://SERVICE_NAME-PROJECT_NUMBER.REGION.run.app"299AUTH="Authorization: Bearer $(gcloud auth print-identity-token)"300 301# Test health endpoint302curl -H "$AUTH" "$SERVICE_URL/"303 304# Step 1: Create a session (required before sending messages)305curl -X POST "$SERVICE_URL/apps/app/users/test-user/sessions" \306  -H "Content-Type: application/json" \307  -H "$AUTH" \308  -d '{}'309# → returns JSON with "id" — use this as SESSION_ID below310 311# Step 2: Send a message via SSE streaming312curl -X POST "$SERVICE_URL/run_sse" \313  -H "Content-Type: application/json" \314  -H "$AUTH" \315  -d '{316    "app_name": "app",317    "user_id": "test-user",318    "session_id": "SESSION_ID",319    "new_message": {"role": "user", "parts": [{"text": "Hello!"}]}320  }'321```322 323> **Common mistake:** Using `{"message": "Hello!", "user_id": "...", "session_id": "..."}` returns `422 Field required`. The ADK HTTP server expects the `new_message` / `parts` schema shown above, and the session must already exist.324 325### GKE Deployment326 327GKE LoadBalancer services are public by default — no auth header needed (unlike Cloud Run). See `references/gke.md` for curl examples and endpoint details.328 329### Load Tests330 331```bash332make load-test333```334 335See `tests/load_test/README.md` for configuration, default settings, and CI/CD integration details.336 337---338 339## Deploying with a UI (IAP)340 341To expose your agent with a web UI protected by Google identity authentication:342 343```bash344# Deploy with IAP (built-in framework UI)345make deploy IAP=true346 347# Deploy with custom frontend on a different port348make deploy IAP=true PORT=5173349```350 351IAP (Identity-Aware Proxy) secures the Cloud Run service — only authorized Google accounts can access it. After deploying, grant user access via the [Cloud Console IAP settings](https://cloud.google.com/run/docs/securing/identity-aware-proxy-cloud-run#manage_user_or_group_access).352 353For Agent Engine with a custom frontend, use a **decoupled deployment** — deploy the frontend separately to Cloud Run or Cloud Storage, connecting to the Agent Engine backend API.354 355---356 357## Rollback & Recovery358 359The primary rollback mechanism is **git-based**: fix the issue, commit, and push to `main`. The CI/CD pipeline will automatically build and deploy the new version through staging → production.360 361For immediate Cloud Run rollback without a new commit, use revision traffic shifting:362```bash363gcloud run revisions list --service=SERVICE_NAME --region=REGION364gcloud run services update-traffic SERVICE_NAME \365  --to-revisions=REVISION_NAME=100 --region=REGION366```367 368Agent Engine doesn't support revision-based rollback — fix and redeploy via `make deploy`.369 370For GKE rollback, use `kubectl rollout undo`:371```bash372kubectl rollout undo deployment/DEPLOYMENT_NAME -n NAMESPACE373kubectl rollout status deployment/DEPLOYMENT_NAME -n NAMESPACE374```375 376---377 378## Custom Infrastructure (Terraform)379 380For custom infrastructure patterns (Pub/Sub, BigQuery, Eventarc, Cloud SQL, IAM), consult `references/terraform-patterns.md` for:381- Where to put custom Terraform files (dev vs CI/CD)382- Resource examples (Pub/Sub, BigQuery, Eventarc triggers)383- IAM bindings for custom resources384- Terraform state management (remote vs local, importing resources)385- Common infrastructure patterns386 387---388 389## Troubleshooting390 391| Issue | Solution |392|-------|----------|393| Terraform state locked | `terraform force-unlock -force LOCK_ID` in deployment/terraform/ |394| GitHub Actions auth failed | Re-run `terraform apply` in CI/CD terraform dir; verify WIF pool/provider |395| Cloud Build authorization pending | Use `github_actions` runner instead |396| Resource already exists | `terraform import` (see `references/terraform-patterns.md`) |397| Agent Engine deploy timeout / hangs | Deployments take 5-10 min; check if engine was created (see Agent Engine Specifics) |398| Secret not available | Verify `secretAccessor` granted to `app_sa` (not the default compute SA) |399| 403 on deploy | Check `deployment/terraform/iam.tf` — `cicd_runner_sa` needs deployment + SA impersonation roles in the target project |400| 403 when testing Cloud Run | Default is `--no-allow-unauthenticated`; include `Authorization: Bearer $(gcloud auth print-identity-token)` header |401| Cold starts too slow | Set `min_instance_count > 0` in Cloud Run Terraform config |402| Cloud Run 503 errors | Check resource limits (memory/CPU), increase `max_instance_count`, or check container crash logs |403| 403 right after granting IAM role | IAM propagation is not instant — wait a couple of minutes before retrying. Don't keep re-granting the same role |404| Resource seems missing but Terraform created it | Run `terraform state list` to check what Terraform actually manages. Resources created via `null_resource` + `local-exec` (e.g., BQ linked datasets) won't appear in `gcloud` CLI output |