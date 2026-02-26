In this tutorial, you'll learn how to deploy an AI agent built with Google's Agent Development Kit ( ADK) to Agent Engine using GitLab's native Google Cloud integration and CI/CD pipelines. We'll cover IAM configuration, pipeline setup, and testing your deployed agent.

What is Agent Engine and why does it matter?

Agent Engine is Google Cloud's managed runtime specifically designed for AI agents. Think of it as the production home for your agents — where they live, run, and scale without you having to manage the underlying infrastructure. Agent Engine handles infrastructure, scaling, session management, and memory storage so you can focus on building your agent — not managing servers. It also integrates natively with Google Cloud's logging, monitoring, and IAM.

Why use GitLab to deploy to Agent Engine?

AI agent deployment is typically difficult to configure correctly. Security considerations, CI/CD orchestration, and cloud permissions create friction that slows down development cycles.

GitLab streamlines this entire process while enhancing security:

Built-in security scanning — Every deployment is automatically scanned for vulnerabilities without additional configuration.

— Every deployment is automatically scanned for vulnerabilities without additional configuration. Native Google Cloud integration — Workload Identity Federation eliminates the need for service account keys.

— Workload Identity Federation eliminates the need for service account keys. Simplified CI/CD — GitLab's templates handle complex deployment logic.

Prerequisites

Before you begin, ensure you have:

A Google Cloud project with the following APIs enabled: Cloud Storage API Vertex AI API

A GitLab project for your source code and CI/CD pipeline

A Google Cloud Storage bucket for staging deployments

Google Cloud IAM integration configured in GitLab (see Step 1)

Here are the steps to follow.

1. Configure IAM integration

The foundation of secure deployment is proper IAM configuration between GitLab and Google Cloud using Workload Identity Federation.

In your GitLab project:

Navigate to Settings > Integrations. Locate the Google Cloud IAM integration. Provide the following information: Project ID : Your Google Cloud project ID

: Your Google Cloud project ID Project Number : Found in your Google Cloud console

: Found in your Google Cloud console Workload Identity Pool ID : A unique identifier for your identity pool

: A unique identifier for your identity pool Provider ID: A unique identifier for your identity provider

GitLab generates a script for you. Copy and run this script in Google Cloud Shell to establish the Workload Identity Federation between platforms.

Important: Add these additional roles to your service principal for Agent Engine deployment:

roles/aiplatform.user

roles/storage.objectAdmin

You can add these roles using gcloud commands:

Copy GCP_PROJECT_ID="<your-project-id>" GCP_PROJECT_NUMBER="<your-project-number>" GCP_WORKLOAD_IDENTITY_POOL="<your-pool-id>" gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \ --role='roles/aiplatform.user' gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \ --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL}/attribute.developer_access/true" \ --role='roles/storage.objectAdmin'

2. Create the CI/CD pipeline

Now for the core of the deployment — the CI/CD pipeline. Create a .gitlab-ci.yml file in your project root:

Copy stages: - test - deploy cache: paths: - .cache/pip key: ${CI_COMMIT_REF_SLUG} variables: GCP_PROJECT_ID: "<your-project-id>" GCP_REGION: "us-central1" STORAGE_BUCKET: "<your-staging-bucket>" AGENT_NAME: "Canada City Advisor" AGENT_ENTRY: "canada_city_advisor" image: google/cloud-sdk:slim # Security scanning templates include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml - template: Jobs/SAST.gitlab-ci.yml - template: Jobs/Secret-Detection.gitlab-ci.yml deploy-agent: stage: deploy identity: google_cloud rules: - if: $CI_COMMIT_BRANCH == "main" before_script: - gcloud config set core/disable_usage_reporting true - gcloud config set component_manager/disable_update_check true - pip install -q --no-cache-dir --upgrade pip google-genai google-cloud-aiplatform -r requirements.txt --break-system-packages script: - gcloud config set project $GCP_PROJECT_ID - adk deploy agent_engine --project=$GCP_PROJECT_ID --region=$GCP_REGION --staging_bucket=gs://$STORAGE_BUCKET --display_name="$AGENT_NAME" $AGENT_ENTRY

The pipeline consists of two stages:

Test stage — GitLab's security scanners run automatically. The included templates provide dependency scanning, static application security testing (SAST), and secret detection without additional configuration.

Deploy stage — Uses the ADK CLI to deploy your agent directly to Agent Engine. The staging bucket temporarily holds your application workload before Agent Engine picks it up for deployment.

Key configuration notes

The identity: google_cloud directive enables keyless authentication via Workload Identity Federation.

directive enables keyless authentication via Workload Identity Federation. Security scanners are included as templates, meaning they run by default with no setup required.

The adk deploy agent_engine command handles all the complexity of packaging and deploying your agent.

command handles all the complexity of packaging and deploying your agent. Pipeline caching speeds up subsequent deployments by preserving pip dependencies.

3. Deploy and verify

With your pipeline configured:

Commit your agent code and .gitlab-ci.yml to GitLab. Navigate to Build > Pipelines to monitor execution. Watch the test stage complete security scans. Observe the deploy stage push your agent to Agent Engine.

Once the pipeline succeeds, verify your deployment in the Google Cloud Console:

Navigate to Vertex AI > Agent Engine. Locate your deployed agent. Note the resource name — you'll need this for testing.

4. Test your deployed agent

Test your agent using a curl command. You'll need three pieces of information:

Agent ID : From the Agent Engine console (the resource name's numeric identifier)

: From the Agent Engine console (the resource name's numeric identifier) Project ID : Your Google Cloud project

: Your Google Cloud project Location: The region where you deployed (e.g., us-central1 )

Copy PROJECT_ID="<your-project-id>" LOCATION="us-central1" AGENT_ID="<your-agent-id>" TOKEN=$(gcloud auth print-access-token) curl -X POST \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ "https://${LOCATION}-aiplatform.googleapis.com/v1/projects/${PROJECT_ID}/locations/${LOCATION}/reasoningEngines/${AGENT_ID}:streamQuery" \ -d '{ "input": { "message": "I make $85,000 per year and I prefer cities with mild winters and a vibrant cultural scene. I also want to be near the coast if possible. What Canadian cities would you recommend?", "user_id": "demo-user" } }' | jq -r '.content.parts[0].text'

If everything is configured correctly, your agent will respond with personalized city recommendations based on the budget and lifestyle preferences provided.

Security benefits of this approach

This deployment pattern provides several security advantages:

No long-lived credentials : Workload Identity Federation eliminates service account keys entirely.

: Workload Identity Federation eliminates service account keys entirely. Automated vulnerability scanning : Every deployment is scanned before reaching production.

: Every deployment is scanned before reaching production. Complete audit trail : GitLab maintains full visibility of who deployed what and when.

: GitLab maintains full visibility of who deployed what and when. Principle of least privilege: Fine-grained IAM roles limit access to only what's needed.

Summary

Deploying AI agents to production doesn't have to be complex. By combining GitLab's DevSecOps platform with Google Cloud's Agent Engine, you get:

A managed runtime that handles scaling and infrastructure

Built-in security scanning without additional tooling

Keyless authentication via native cloud integration

A streamlined deployment process that fits modern AI development workflows

Watch the full demo: