GCP Setup: APIs, IAM and Secret Manager
Prerequisites
Section titled “Prerequisites”- Google Cloud CLI (
gcloud) installed and up to date - uv — Python package manager (used in the Dockerfiles)
- GCP account with billing enabled
- Gemini API Key — get one for free at aistudio.google.com
1. Authentication
Section titled “1. Authentication”Log in with your Google Cloud account:
gcloud auth loginList your available projects:
gcloud projects listSelect the project where you’ll deploy:
gcloud config set project YOUR_PROJECT_IDVerify it’s configured:
gcloud config get-value project2. Enable APIs
Section titled “2. Enable APIs”The deploy requires 4 active APIs. Enable them with a single command:
gcloud services enable \ run.googleapis.com \ cloudbuild.googleapis.com \ artifactregistry.googleapis.com \ secretmanager.googleapis.com3. Project ID and Project Number
Section titled “3. Project ID and Project Number”These are two different values you’ll need:
- Project ID — alphanumeric string that identifies your project (e.g.,
my-adk-project) - Project Number — number that identifies internal service accounts (e.g.,
123456789012)
Get both and store them in variables:
PROJECT_ID=$(gcloud config get-value project)PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format='value(projectNumber)')
echo "Project ID: $PROJECT_ID"echo "Project Number: $PROJECT_NUMBER"4. Service account permissions
Section titled “4. Service account permissions”Cloud Build uses an automatic service account: {PROJECT_NUMBER}-compute@developer.gserviceaccount.com. It needs two additional permissions to build and push images.
Permission to access storage (container images):
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:${PROJECT_NUMBER}-compute@developer.gserviceaccount.com" \ --role="roles/storage.objectAdmin"Permission to execute builds:
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:${PROJECT_NUMBER}-compute@developer.gserviceaccount.com" \ --role="roles/cloudbuild.builds.builder"5. Gemini API Key in Secret Manager
Section titled “5. Gemini API Key in Secret Manager”Create the secret with your API key:
echo -n "YOUR_GEMINI_API_KEY" | gcloud secrets create GEMINI_API_KEY \ --replication-policy="automatic" \ --data-file=-Grant access to the Cloud Run service account:
gcloud secrets add-iam-policy-binding GEMINI_API_KEY \ --member="serviceAccount:${PROJECT_NUMBER}-compute@developer.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor"