Secure and fast deployments to Google Agent Engine with GitLab

Source: GitLab Blog

In this tutorial you’ll learn how to deploy an AI agent built with Google’s Agent Development Kit (ADK) to Agent Engine using GitLab’s native Google Cloud integration and CI/CD pipelines. We’ll cover:

• IAM configuration
• Pipeline setup
• Testing the deployed agent

What is Agent Engine and Why Does It Matter?

Agent Engine is Google Cloud’s managed runtime designed specifically for AI agents. Think of it as the production home for your agents—where they live, run, and scale without you having to manage the underlying infrastructure.

• Handles infrastructure, scaling, session management, and memory storage.
• Integrates natively with Google Cloud Logging, Monitoring, and IAM.

Why Use GitLab to Deploy to Agent Engine?

Deploying AI agents can be tricky: security considerations, CI/CD orchestration, and cloud permissions often create friction. GitLab streamlines the whole process while enhancing security:

Prerequisites

Before you begin, make sure you have:

1. Google Cloud project with the following APIs enabled
   • Cloud Storage API
   • Vertex AI API
2. GitLab project for your source code and CI/CD pipeline.
3. Google Cloud Storage bucket for staging deployments.
4. Google Cloud IAM integration configured in GitLab (see Step 1 below).

Step 1 – Configure IAM Integration

The foundation of a secure deployment is proper IAM configuration between GitLab and Google Cloud using Workload Identity Federation.

In GitLab

1. Go to Settings > Integrations.
2. Locate the Google Cloud IAM integration.
3. Provide the following information:

GitLab will generate a script for you. Copy the script and run it in Google Cloud Shell to establish the Workload Identity Federation between the platforms.

Add Required Roles

Add these roles to the service principal that will deploy to Agent Engine:

• roles/aiplatform.user
• roles/storage.objectAdmin

Example gcloud commands

# Set variables (replace placeholders with your values)
GCP_PROJECT_ID=""
GCP_PROJECT_NUMBER=""
GCP_WORKLOAD_IDENTITY_POOL=""

# Grant Vertex AI user role
gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
  --role='roles/aiplatform.user'

# Grant Cloud Storage object admin role
gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
  --role='roles/storage.objectAdmin'

Step 2 – Create the CI/CD Pipeline

Create a .gitlab-ci.yml file in the root of your repository.

stages:
  - test
  - deploy

cache:
  paths:
    - .cache/pip
  key: ${CI_COMMIT_REF_SLUG}

variables:
  GCP_PROJECT_ID: ""
  GCP_REGION: "us-central1"
  STORAGE_BUCKET: ""
  AGENT_NAME: "Canada City Advisor"
  AGENT_ENTRY: "canada_city_advisor"

image: google/cloud-sdk:slim

# Security‑scanning templates
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml
  - template: Jobs/Secret-Detection.gitlab-ci.yml

deploy-agent:
  stage: deploy
  identity: google_cloud          # Enables keyless auth via Workload Identity Federation
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  before_script:
    - gcloud config set core/disable_usage_reporting true
    - gcloud config set component_manager/disable_update_check true
    - pip install -q --no-cache-dir --upgrade pip google-genai google-cloud-aiplatform -r requirements.txt --break-system-packages
  script:
    - gcloud config set project $GCP_PROJECT_ID
    - adk deploy agent_engine \
        --project=$GCP_PROJECT_ID \
        --region=$GCP_REGION \
        --staging_bucket=gs://$STORAGE_BUCKET \
        --display_name="$AGENT_NAME" \
        $AGENT_ENTRY

Pipeline Overview

Key notes

• identity: google_cloud enables keyless authentication via Workload Identity Federation.
• Security scanners are included as templates, so they run by default with no extra setup.
• adk deploy agent_engine abstracts the packaging and deployment complexity.
• Caching speeds up subsequent runs by preserving pip dependencies.

Step 3 – Deploy and Verify

1. Commit your agent code and the .gitlab-ci.yml file to GitLab.

2. Navigate to CI /CD > Pipelines to monitor execution.

3. Observe:

   • Test stage – security scans complete.
   • Deploy stage – your agent is pushed to Agent Engine.

4. When the pipeline succeeds, verify the deployment in the Google Cloud Console:

   • Go to Vertex AI > Agent Engine.
   • Locate your deployed agent.
   • Note the resource name (you’ll need it for testing).

Step 4 – Test Your Deployed Agent

You can test the agent with a simple curl request. You’ll need three pieces of information:

Example curl command

AGENT_ID="projects//locations/us-central1/agents/"
ENDPOINT="https://us-central1-aiplatform.googleapis.com/v1/${AGENT_ID}:predict"

# Get an access token (if you’re using a service account with keyless auth, you can skip this step)
ACCESS_TOKEN=$(gcloud auth print-access-token)

curl -X POST "${ENDPOINT}" \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
        "instances": [
          {"text": "Hello, Agent!"}
        ]
      }'

If everything is set up correctly, you should receive a JSON response from your agent.

🎉 You’re Done!

You have now:

• Configured secure IAM integration between GitLab and Google Cloud.
• Built a CI/CD pipeline that runs security scans and deploys your ADK agent.
• Deployed the agent to Agent Engine and verified its presence.
• Tested the live endpoint with a simple curl request.

Feel free to iterate on your agent, push new changes, and let GitLab automatically handle testing and deployment. Happy building!

Project Configuration

• Project ID: Your Google Cloud project
• Location: The region where you deployed (e.g., us-central1)

PROJECT_ID=""
LOCATION="us-central1"
AGENT_ID=""
TOKEN=$(gcloud auth print-access-token)

curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  "https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/reasoningEngines/${AGENT_ID}:streamQuery" \
  -d '{
    "input": {
      "message": "I make $85,000 per year and I prefer cities with mild winters and a vibrant cultural scene. I also want to be near the coast if possible. What Canadian cities would you recommend?",
      "user_id": "demo‑user"
    }
  }' | jq -r '.content.parts[0].text'

If everything is configured correctly, your agent will respond with personalized city recommendations based on the budget and lifestyle preferences provided.

Security Benefits of This Approach

• No long‑lived credentials – Workload Identity Federation eliminates service‑account keys entirely.
• Automated vulnerability scanning – Every deployment is scanned before reaching production.
• Complete audit trail – GitLab maintains full visibility of who deployed what and when.
• Principle of least privilege – Fine‑grained IAM roles limit access to only what’s needed.

Summary

Deploying AI agents to production doesn’t have to be complex. By combining GitLab’s DevSecOps platform with Google Cloud’s Agent Engine, you get:

• A managed runtime that handles scaling and infrastructure.
• Built‑in security scanning without additional tooling.
• Keyless authentication via native cloud integration.
• A streamlined deployment process that fits modern AI development workflows.

Watch the Full Demo

[Link to demo video]

Ready to Try It Yourself?

Use this tutorial’s complete code example to get started now.

Not a GitLab customer yet? Explore the DevSecOps platform with a free trial.