Secure and fast deployments to Google Agent Engine with GitLab

In this tutorial, you'll learn how to deploy an AI agent built with Google's Agent Development Kit (ADK) to Agent Engine using GitLab's native Google Cloud integration and CI/CD pipelines. We'll cover IAM configuration, pipeline setup, and testing your deployed agent.

What is Agent Engine and why does it matter?

Agent Engine is Google Cloud's managed runtime specifically designed for AI agents. Think of it as the production home for your agents — where they live, run, and scale without you having to manage the underlying infrastructure. Agent Engine handles infrastructure, scaling, session management, and memory storage so you can focus on building your agent — not managing servers. It also integrates natively with Google Cloud's logging, monitoring, and IAM.

Why use GitLab to deploy to Agent Engine?

AI agent deployment is typically difficult to configure correctly. Security considerations, CI/CD orchestration, and cloud permissions create friction that slows down development cycles.

GitLab streamlines this entire process while enhancing security:

• Built-in security scanning — Every deployment is automatically scanned for vulnerabilities without additional configuration.
• Native Google Cloud integration — Workload Identity Federation eliminates the need for service account keys.
• Simplified CI/CD — GitLab's templates handle complex deployment logic.

Prerequisites

Before you begin, ensure you have:

• A Google Cloud project with the following APIs enabled:
  • Cloud Storage API
  • Vertex AI API
• A GitLab project for your source code and CI/CD pipeline
• A Google Cloud Storage bucket for staging deployments
• Google Cloud IAM integration configured in GitLab (see Step 1)

Here are the steps to follow.

1. Configure IAM integration

The foundation of secure deployment is proper IAM configuration between GitLab and Google Cloud using Workload Identity Federation.

In your GitLab project:

1. Navigate to Settings > Integrations.
2. Locate the Google Cloud IAM integration.
3. Provide the following information:
   • Project ID: Your Google Cloud project ID
   • Project Number: Found in your Google Cloud console
   • Workload Identity Pool ID: A unique identifier for your identity pool
   • Provider ID: A unique identifier for your identity provider

GitLab generates a script for you. Copy and run this script in Google Cloud Shell to establish the Workload Identity Federation between platforms.

Important: Add these additional roles to your service principal for Agent Engine deployment:

• roles/aiplatform.user
• roles/storage.objectAdmin

You can add these roles using gcloud commands:

      GCP_PROJECT_ID="<your-project-id>"
GCP_PROJECT_NUMBER="<your-project-number>"
GCP_WORKLOAD_IDENTITY_POOL="<your-pool-id>"

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
  --role='roles/aiplatform.user'

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \
  --role='roles/storage.objectAdmin'

    

2. Create the CI/CD pipeline

Now for the core of the deployment — the CI/CD pipeline. Create a .gitlab-ci.yml file in your project root:

      stages:
  - test
  - deploy

cache:
  paths:
    - .cache/pip
  key: ${CI_COMMIT_REF_SLUG}

variables:
  GCP_PROJECT_ID: "<your-project-id>"
  GCP_REGION: "us-central1"
  STORAGE_BUCKET: "<your-staging-bucket>"
  AGENT_NAME: "Canada City Advisor"
  AGENT_ENTRY: "canada_city_advisor"

image: google/cloud-sdk:slim

# Security scanning templates
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml
  - template: Jobs/Secret-Detection.gitlab-ci.yml

deploy-agent:
  stage: deploy
  identity: google_cloud
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  before_script:
    - gcloud config set core/disable_usage_reporting true
    - gcloud config set component_manager/disable_update_check true
    - pip install -q --no-cache-dir --upgrade pip google-genai google-cloud-aiplatform -r requirements.txt --break-system-packages
  script:
    - gcloud config set project $GCP_PROJECT_ID
    - adk deploy agent_engine 
        --project=$GCP_PROJECT_ID 
        --region=$GCP_REGION 
        --staging_bucket=gs://$STORAGE_BUCKET 
        --display_name="$AGENT_NAME" 
        $AGENT_ENTRY

    

The pipeline consists of two stages:

Test stage — GitLab's security scanners run automatically. The included templates provide dependency scanning, static application security testing (SAST), and secret detection without additional configuration.

Deploy stage — Uses the ADK CLI to deploy your agent directly to Agent Engine. The staging bucket temporarily holds your application workload before Agent Engine picks it up for deployment.

Key configuration notes

• The identity: google_cloud directive enables keyless authentication via Workload Identity Federation.
• Security scanners are included as templates, meaning they run by default with no setup required.
• The adk deploy agent_engine command handles all the complexity of packaging and deploying your agent.
• Pipeline caching speeds up subsequent deployments by preserving pip dependencies.

3. Deploy and verify

With your pipeline configured:

1. Commit your agent code and .gitlab-ci.yml to GitLab.
2. Navigate to Build > Pipelines to monitor execution.
3. Watch the test stage complete security scans.
4. Observe the deploy stage push your agent to Agent Engine.

Once the pipeline succeeds, verify your deployment in the Google Cloud Console:

1. Navigate to Vertex AI > Agent Engine.
2. Locate your deployed agent.
3. Note the resource name — you'll need this for testing.

4. Test your deployed agent

Test your agent using a curl command. You'll need three pieces of information:

• Agent ID: From the Agent Engine console (the resource name's numeric identifier)
• Project ID: Your Google Cloud project
• Location: The region where you deployed (e.g., us-central1)

      PROJECT_ID="<your-project-id>"
LOCATION="us-central1"
AGENT_ID="<your-agent-id>"
TOKEN=$(gcloud auth print-access-token)

curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  "https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/reasoningEngines/${AGENT_ID}:streamQuery" \
  -d '{
    "input": {
      "message": "I make $85,000 per year and I prefer cities with mild winters and a vibrant cultural scene. I also want to be near the coast if possible. What Canadian cities would you recommend?",
      "user_id": "demo-user"
    }
  }' | jq -r '.content.parts[0].text'

    

If everything is configured correctly, your agent will respond with personalized city recommendations based on the budget and lifestyle preferences provided.

Security benefits of this approach

This deployment pattern provides several security advantages:

• No long-lived credentials: Workload Identity Federation eliminates service account keys entirely.
• Automated vulnerability scanning: Every deployment is scanned before reaching production.
• Complete audit trail: GitLab maintains full visibility of who deployed what and when.
• Principle of least privilege: Fine-grained IAM roles limit access to only what's needed.

Summary

Deploying AI agents to production doesn't have to be complex. By combining GitLab's DevSecOps platform with Google Cloud's Agent Engine, you get:

• A managed runtime that handles scaling and infrastructure
• Built-in security scanning without additional tooling
• Keyless authentication via native cloud integration
• A streamlined deployment process that fits modern AI development workflows

Watch the full demo:

Ready to try it yourself? Use this tutorial's complete code example to get started now. Not a GitLab customer yet? Explore the DevSecOps platform with a free trial.