Comprehensive deployment guide for ADK agents across Google Cloud platforms with CI/CD, infrastructure, and troubleshooting.
Works with
Covers three deployment targets (Agent Engine, Cloud Run, GKE) with a decision matrix comparing scaling, networking, session state, and cost models
Includes quick-deploy CLI commands, scaffolded project workflows with make commands, and full CI/CD pipeline setup via GitHub Actions or Cloud Build with Workload Identity Federation
Provides platform-specific detai
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionadk-deploy-guideExecute the skills CLI command in your project's root directory to begin installation:
Fetches adk-deploy-guide from google/adk-docs and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate adk-deploy-guide. Access via /adk-deploy-guide in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
1.3K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
1.3K
stars
Scaffolded project? Use the
makecommands throughout this guide — they wrap Terraform, Docker, and deployment into a tested pipeline.No scaffold? See Quick Deploy below, or the ADK deployment docs. For production infrastructure, scaffold with
/adk-scaffold.
For deeper details, consult these reference files in references/:
cloud-run.md — Scaling defaults, Dockerfile, session types, networkingagent-engine.md — deploy.py CLI, AdkApp pattern, Terraform resource, deployment metadata, CI/CD differencesgke.md — GKE Autopilot cluster, Terraform-managed Kubernetes resources, Workload Identity, session types, networkingterraform-patterns.md — Custom infrastructure, IAM, state management, importing resourcesevent-driven.md — Pub/Sub, Eventarc, BigQuery Remote Function triggers via custom fast_api_app.py endpointsObservability: See the adk-observability-guide skill for Cloud Trace, prompt-response logging, BigQuery Analytics, and third-party integrations.
Choose the right deployment target based on your requirements:
| Criteria | Agent Engine | Cloud Run | GKE |
|---|---|---|---|
| Languages | Python | Python | Python (+ others via custom containers) |
| Scaling | Managed auto-scaling (configurable min/max, concurrency) | Fully configurable (min/max instances, concurrency, CPU allocation) | Full Kubernetes scaling (HPA, VPA, node auto-provisioning) |
| Networking | VPC-SC and PSC supported | Full VPC support, direct VPC egress, IAP, ingress rules | Full Kubernetes networking |
| Session state | Native VertexAiSessionService (persistent, managed) |
In-memory (dev), Cloud SQL, or Agent Engine session backend | In-memory (dev), Cloud SQL, or Agent Engine session backend |
| Batch/event processing | Not supported | /invoke endpoint for Pub/Sub, Eventarc, BigQuery |
Custom (Kubernetes Jobs, Pub/Sub) |
| Cost model | vCPU-hours + memory-hours (not billed when idle) | Per-instance-second + min instance costs | Node pool costs (always-on or auto-provisioned) |
| Setup complexity | Lower (managed, purpose-built for agents) | Medium (Dockerfile, Terraform, networking) | Higher (Kubernetes expertise required) |
| Best for | Managed infrastructure, minimal ops | Custom infra, event-driven workloads | Full Kubernetes control |
Ask the user which deployment target fits their needs. Each is a valid production choice with different trade-offs.
For projects without Agent Starter Pack scaffolding. No Makefile, Terraform, or Dockerfile required.
# Cloud Run
adk deploy cloud_run --project=PROJECT --region=REGION path/to/agent/
# Agent Engine
adk deploy agent_engine --project=PROJECT --region=REGION path/to/agent/
# GKE (requires existing cluster)
adk deploy gke --project=PROJECT --cluster_name=CLUSTER --region=REGION path/to/agent/
All commands support --with_ui to deploy the ADK dev UI. Cloud Run also accepts extra gcloud flags after -- (e.g., -- --no-allow-unauthenticated).
See adk deploy --help or the ADK deployment docs for full flag reference.
For CI/CD, observability, or production infrastructure, scaffold with
/adk-scaffoldand use the sections below.
make setup-dev-env runs terraform apply in deployment/terraform/dev/. This provisions supporting infrastructure:
app_sa for the agent, used for runtime permissions)deployment/terraform/dev/This step is optional — make deploy works without it (Cloud Run creates the service on the fly via gcloud run deploy --source .). However, running it gives you proper service accounts, observability, and IAM setup.
make setup-dev-env
Note:
make deploydoesn't automatically use the Terraform-createdapp_sa. Pass--service-accountexplicitly or update the Makefile.
make deployIMPORTANT: Never run make deploy without explicit human approval.
Best for: Production applications, teams requiring staging → production promotion.
Prerequisites:
Steps:
If prototype, first add Terraform/CI-CD files using the Agent Starter Pack CLI (see /adk-scaffold for full options):
uvx agent-starter-pack enhance . --cicd-runner github_actions -y -s
Ensure you're logged in to GitHub CLI:
gh auth login # (skip if already authenticated)
Run setup-cicd:
uvx agent-starter-pack setup-cicd \
--staging-project YOUR_STAGING_PROJECT \
--prod-project YOUR_PROD_PROJECT \
--repository-name YOUR_REPO_NAME \
--repository-owner YOUR_GITHUB_USERNAME \
--auto-approve \
--create-repository
Push code to trigger deployments
setup-cicd Flags| Flag | Description |
|---|---|
--staging-project |
GCP project ID for staging environment |
--prod-project |
GCP project ID for production environment |
--repository-name / --repository-owner |
GitHub repository name and owner |
--auto-approve |
Skip Terraform plan confirmation prompts |
--create-repository |
Create the GitHub repo if it doesn't exist |
--cicd-project |
Separate GCP project for CI/CD infrastructure. Defaults to prod project |
--local-state |
Store Terraform state locally instead of in GCS (see references/terraform-patterns.md) |
Run uvx agent-starter-pack setup-cicd --help for the full flag reference (Cloud Build options, dev project, region, etc.).
| Runner | Pros | Cons |
|---|---|---|
| github_actions (Default) | No PAT needed, uses gh auth, WIF-based, fully automated |
Requires GitHub CLI authentication |
| google_cloud_build | Native GCP integration | Requires interactive browser authorization (or PAT + app installation ID for programmatic mode) |
Both runners use Workload Identity Federation (WIF) — GitHub/Cloud Build OIDC tokens are trusted by a GCP Workload Identity Pool, which grants cicd_runner_sa impersonation. No long-lived service account keys needed. Terraform in setup-cicd creates the pool, provider, and SA bindings automatically. If auth fails, re-run terraform apply in the CI/CD Terraform directory.
The pipeline has three stages:
main. Builds container, deploys to staging, runs load tests.
Path filter: Staging CD uses
paths: ['app/**']— it only triggers when files underapp/change. The first push aftersetup-cicdwon't trigger staging CD unless you modify something inapp/. If nothing happens after pushing, this is why.
workflow_run. Might require manual approval before deploying to production.
Approving: Go to GitHub Actions → the production workflow run → click "Review deployments" → approve the pending
productionenvironment. This is GitHub's environment protection rules, not a custom mechanism.
IMPORTANT: setup-cicd creates infrastructure but doesn't deploy automatically. Terraform configures all required GitHub secrets and variables (WIF credentials, project IDs, service accounts). Push code to trigger the pipeline:
git add . && git commit -m "Initial agent implementation"
git push origin main
To approve production deployment:
# GitHub Actions: Approve via repository Actions tab (environment protection rules)
# Cloud Build: Find pending build and approve
gcloud builds list --project=PROD_PROJECT --region=REGION --filter="status=PENDING"
gcloud builds approve BUILD_ID --project=PROD_PROJECT
For detailed infrastructure configuration (scaling defaults, Dockerfile, FastAPI endpoints, session types, networking), see references/cloud-run.md. For ADK docs on Cloud Run deployment, fetch https://adk.dev/deploy/cloud-run/index.md.
Agent Engine is a managed Vertex AI service for deploying Python ADK agents. Uses source-based deployment (no Dockerfile) via deploy.py and the AdkApp class.
No
gcloudCLI exists for Agent Engine. Deploy viadeploy.pyoradk deploy agent_engine. Query via the Pythonvertexai.ClientSDK.
Deployments can take 5-10 minutes. If make deploy times out, check if the engine was created and manually populate deployment_metadata.json with the engine resource ID (see reference for details).
For detailed infrastructure configuration (deploy.py flags, AdkApp pattern, Terraform resource, deployment metadata, session/artifact services, CI/CD differences), see references/agent-engine.md. For ADK docs on Agent Engine deployment, fetch https://adk.dev/deploy/agent-engine/index.md.
For detailed infrastructure configuration (Terraform-managed Kubernetes resources, Workload Identity, session types, networking), see references/gke.md. For ADK docs on GKE deployment, fetch https://adk.dev/deploy/gke/index.md.
Scaffolded projects use two service accounts:
app_sa (per environment) — Runtime identity for the deployed agent. Roles defined in deployment/terraform/iam.tf.cicd_runner_sa (CI/CD project) — CI/CD pipeline identity (GitHub Actions / Cloud Build). Lives in the CI/CD project (defaults to prod project), needs permissions in both staging and prod projects.Check deployment/terraform/iam.tf for exact role bindings. Cross-project permissions (Cloud Run service agents, artifact registry access) are also configured there.
Common 403 errors:
cicd_runner_sa missing deployment role in the target projectiam.serviceAccountUser binding on app_saapp_sa missing secretmanager.secretAccessorInstead of passing sensitive keys as environment variables, use GCP Secret Manager.
# Create a secret
echo -n "YOUR_API_KEY" | gcloud secrets create MY_SECRET_NAME --data-file=-
# Update an existing secret
echo -n "NEW_API_KEY" | gcloud secrets versions add MY_SECRET_NAME --data-file=-
Grant access: For Cloud Run, grant secretmanager.secretAccessor to app_sa. For Agent Engine, grant it to the platform-managed SA (service-PROJECT_NUMBER@gcp-sa-aiplatform-re.iam.gserviceaccount.com). For GKE, grant secretmanager.secretAccessor to app_sa. Access secrets via Kubernetes Secrets or directly via the Secret Manager API with Workload Identity.
Pass secrets at deploy time (Agent Engine):
make deploy SECRETS="API_KEY=my-api-key,DB_PASS=db-password:2"
Format: ENV_VAR=SECRET_ID or ENV_VAR=SECRET_ID:VERSION (defaults to latest). Access in code via os.environ.get("API_KEY").
See the adk-observability-guide skill for observability configuration (Cloud Trace, prompt-response logging, BigQuery Analytics, third-party integrations).
Option 1: Testing Notebook
jupyter notebook notebooks/adk_app_testing.ipynb
Option 2: Python Script
import json
import vertexai
with open("deployment_metadata.json") as f:
engine_id = json.load(f)["remote_agent_engine_id"]
client = vertexai.Client(location="us-central1")
agent = client.agent_engines.get(name=engine_id)
async for event in agent.async_stream_query(message="Hello!", user_id="test"):
print(event)
Option 3: Playground
make playground
Auth required by default. Cloud Run deploys with
--no-allow-unauthenticated, so all requests need anAuthorization: Bearerheader with an identity token. Getting a 403? You're likely missing this header. To allow public access, redeploy with--allow-unauthenticated.
SERVICE_URL="https://SERVICE_NAME-PROJECT_NUMBER.REGION.run.app"
AUTH="Authorization: Bearer $(gcloud auth print-identity-token)"
# Test health endpoint
curl -H "$AUTH" "$SERVICE_URL/"
# Step 1: Create a session (required before sending messages)
curl -X POST "$SERPrerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
anthropics/claude-code
mblode/agent-skills
github/awesome-copilot
leonxlnx/taste-skill
sickn33/antigravity-awesome-skills
erichowens/some_claude_skills
We added adk-deploy-guide from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend adk-deploy-guide for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Useful defaults in adk-deploy-guide — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Keeps context tight: adk-deploy-guide is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: adk-deploy-guide is focused, and the summary matches what you get after install.
We added adk-deploy-guide from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
adk-deploy-guide fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: adk-deploy-guide is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for adk-deploy-guide matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in adk-deploy-guide — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 70