rss-bridge 2026-02-26T00:00:00+00:00

Secure and fast deployments to Google Agent Engine with GitLab

In this tutorial, you'll learn how to deploy an AI agent built with Google's Agent Development Kit (ADK) to Agent Engine using GitLab's native Google Cloud integration and CI/CD pipelines. We'll cover IAM configuration, pipeline setup, and testing your deployed agent.What is Agent Engine and why does it matter?Agent Engine is Google Cloud's managed runtime specifically designed for AI agents. Think of it as the production home for your agents — where they live, run, and scale without you having to manage the underlying infrastructure. Agent Engine handles infrastructure, scaling, session management, and memory storage so you can focus on building your agent — not managing servers. It also integrates natively with Google Cloud's logging, monitoring, and IAM.Why use GitLab to deploy to Agent Engine?AI agent deployment is typically difficult to configure correctly. Security considerations, CI/CD orchestration, and cloud permissions create friction that slows down development cycles.GitLab streamlines this entire process while enhancing security:Built-in security scanning — Every deployment is automatically scanned for vulnerabilities without additional configuration.Native Google Cloud integration — Workload Identity Federation eliminates the need for service account keys.Simplified CI/CD — GitLab's templates handle complex deployment logic.PrerequisitesBefore you begin, ensure you have:A Google Cloud project with the following APIs enabled:
Cloud Storage APIVertex AI APIA GitLab project for your source code and CI/CD pipelineA Google Cloud Storage bucket for staging deploymentsGoogle Cloud IAM integration configured in GitLab (see Step 1)Here are the steps to follow.1. Configure IAM integrationThe foundation of secure deployment is proper IAM configuration between GitLab and Google Cloud using Workload Identity Federation.In your GitLab project:Navigate to Settings Integrations.Locate the Google Cloud IAM integration.Provide the following information:
Project ID: Your Google Cloud project IDProject Number: Found in your Google Cloud consoleWorkload Identity Pool ID: A unique identifier for your identity poolProvider ID: A unique identifier for your identity providerGitLab generates a script for you. Copy and run this script in Google Cloud Shell to establish the Workload Identity Federation between platforms.Important: Add these additional roles to your service principal for Agent Engine deployment:roles/aiplatform.userroles/storage.objectAdminYou can add these roles using gcloud commands:"
GCP_PROJECT_NUMBER=""
GCP_WORKLOAD_IDENTITY_POOL=""

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
--role='roles/storage.objectAdmin'
2. Create the CI/CD pipelineNow for the core of the deployment — the CI/CD pipeline. Create a .gitlab-ci.yml file in your project root:"
GCP_REGION: "us-central1"
STORAGE_BUCKET: ""
AGENT_NAME: "Canada City Advisor"
AGENT_ENTRY: "canada_city_advisor"

image: google/cloud-sdk:slim

Security scanning templates

include:

template: Jobs/Dependency-Scanning.gitlab-ci.yml
template: Jobs/SAST.gitlab-ci.yml
template: Jobs/Secret-Detection.gitlab-ci.yml

deploy-agent:
stage: deploy
identity: google_cloud
rules:

if: $CI_COMMIT_BRANCH == "main"

before_script:

gcloud config set core/disable_usage_reporting true
gcloud config set component_manager/disable_update_check true
pip install -q --no-cache-dir --upgrade pip google-genai google-cloud-aiplatform -r requirements.txt --break-system-packages

script:

gcloud config set project $GCP_PROJECT_ID
adk deploy agent_engine

--project=$GCP_PROJECT_ID
--region=$GCP_REGION
--staging_bucket=gs://$STORAGE_BUCKET
--display_name="$AGENT_NAME"
$AGENT_ENTRY
" language="yaml" meta=""stages:

test
deploy

cache:
paths:

.cache/pip

key: ${CI_COMMIT_REF_SLUG}

variables:
GCP_PROJECT_ID: ""
GCP_REGION: "us-central1"
STORAGE_BUCKET: ""
AGENT_NAME: "Canada City Advisor"
AGENT_ENTRY: "canada_city_advisor"

image: google/cloud-sdk:slim

Security scanning templates

include:

template: Jobs/Dependency-Scanning.gitlab-ci.yml
template: Jobs/SAST.gitlab-ci.yml
template: Jobs/Secret-Detection.gitlab-ci.yml

deploy-agent:
stage: deploy
identity: google_cloud
rules:

if: $CI_COMMIT_BRANCH == "main"

before_script:

gcloud config set core/disable_usage_reporting true
gcloud config set component_manager/disable_update_check true
pip install -q --no-cache-dir --upgrade pip google-genai google-cloud-aiplatform -r requirements.txt --break-system-packages

script:

gcloud config set project $GCP_PROJECT_ID
adk deploy agent_engine

--project=$GCP_PROJECT_ID
--region=$GCP_REGION
--staging_bucket=gs://$STORAGE_BUCKET
--display_name="$AGENT_NAME"
$AGENT_ENTRY
The pipeline consists of two stages:Test stage — GitLab's security scanners run automatically. The included templates provide dependency scanning, static application security testing (SAST), and secret detection without additional configuration.Deploy stage — Uses the ADK CLI to deploy your agent directly to Agent Engine. The staging bucket temporarily holds your application workload before Agent Engine picks it up for deployment.Key configuration notesThe identity: google_cloud directive enables keyless authentication via Workload Identity Federation.Security scanners are included as templates, meaning they run by default with no setup required.The adk deploy agent_engine command handles all the complexity of packaging and deploying your agent.Pipeline caching speeds up subsequent deployments by preserving pip dependencies.3. Deploy and verifyWith your pipeline configured:Commit your agent code and .gitlab-ci.yml to GitLab.Navigate to Build Pipelines to monitor execution.Watch the test stage complete security scans.Observe the deploy stage push your agent to Agent Engine.Once the pipeline succeeds, verify your deployment in the Google Cloud Console:Navigate to Vertex AI Agent Engine.Locate your deployed agent.Note the resource name — you'll need this for testing.4. Test your deployed agentTest your agent using a curl command. You'll need three pieces of information:Agent ID: From the Agent Engine console (the resource name's numeric identifier)Project ID: Your Google Cloud projectLocation: The region where you deployed (e.g., us-central1)"
LOCATION="us-central1"
AGENT_ID=""
TOKEN=$(gcloud auth print-access-token)

curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/reasoningEngines/${AGENT_ID}:streamQuery" \
-d '{
"input": {
"message": "I make $85,000 per year and I prefer cities with mild winters and a vibrant cultural scene. I also want to be near the coast if possible. What Canadian cities would you recommend?",
"user_id": "demo-user"
}
}' | jq -r '.content.parts[0].text'
If everything is configured correctly, your agent will respond with personalized city recommendations based on the budget and lifestyle preferences provided.Security benefits of this approachThis deployment pattern provides several security advantages:No long-lived credentials: Workload Identity Federation eliminates service account keys entirely.Automated vulnerability scanning: Every deployment is scanned before reaching production.Complete audit trail: GitLab maintains full visibility of who deployed what and when.Principle of least privilege: Fine-grained IAM roles limit access to only what's needed.SummaryDeploying AI agents to production doesn't have to be complex. By combining GitLab's DevSecOps platform with Google Cloud's Agent Engine, you get:A managed runtime that handles scaling and infrastructureBuilt-in security scanning without additional toolingKeyless authentication via native cloud integrationA streamlined deployment process that fits modern AI development workflowsWatch the full demo: Ready to try it yourself? Use this tutorial's complete code example to get started now. Not a GitLab customer yet? Explore the DevSecOps platform with a free trial.

Source: https://about.gitlab.com/blog/secure-and-fast-deployments-to-google-agent-engine-with-gitlab/