# Agent Deployment and Security Workflow (Cloud Run & Agent Engine)

This notebook demonstrates deploying an AI Agent to both Google Cloud Run and Vertex AI Agent Engine, focusing on the integration of **Model Armor** for responsible AI/security filtering. It also illustrates a common deployment issue related to Google Cloud Storage (GCS) permissions on the Agent Engine's custom code service account and how to resolve it.

In [None]:
# 1. Setup and Installation
# This cell installs all the necessary Python libraries for Google Cloud services, 
# including Vertex AI, Model Armor, and the Google Agent Development Kit (ADK).

!pip install pyyaml
!pip install cloudpickle==3.1.1
!pip install google-cloud-api-keys
!pip install uvicorn
!pip install fastapi
!pip install python-dotenv
!pip install google-adk
!pip install --upgrade google-cloud-aiplatform
!pip install --upgrade google-cloud-modelarmor
!pip install google-genai

# 2. Configuration Variables

Set your Google Cloud project details and deployment locations. The `BUCKET` variable is crucial as it serves as the staging location for the Agent Engine deployment, and its permissions will be tested later.

In [None]:
# Update the variable values below with your specific project details.

PROJECT_ID = "data-vpc-sc-demo"  # @param {type:"string"}
PROJECT_NUMBER = "1083677030545"  # @param {type:"string"} # Get this from Project settings in GCP Console
LOCATION = "us-central1" # @param {type:"string"}

# BUCKET is used for storing the agent code package during Agent Engine deployment.
# IMPORTANT: This bucket MUST exist in your project and be in the same region as the deployment.
# We will use a dynamically generated bucket name based on the PROJECT_ID.
BUCKET_NAME = f"{PROJECT_ID}-agent-artifacts"
BUCKET = f"gs://{BUCKET_NAME}"

# Model Armor Template ID (assuming you created this manually)
MODEL_ARMOR_TEMPLATE_ID = "glean-poc-template" # @param {type:"string"}

print(f"Project ID: {PROJECT_ID}")
print(f"Deployment Location: {LOCATION}")
print(f"Agent Engine Staging Bucket: {BUCKET}")

# Ensure the bucket exists (optional, but good practice)
!gsutil mb -p {PROJECT_ID} -l {LOCATION} {BUCKET}

# 3. Authentication

Authenticate your user session. This is required to execute Google Cloud commands and deploy resources.

In [None]:
from google.colab import auth

# Authenticate the user to access Google Cloud services
auth.authenticate_user(project_id=PROJECT_ID)

# Set the project for subsequent gcloud commands
!gcloud config set project {PROJECT_ID}

# 4. Model Armor and DLP Setup (Prerequisites)

Model Armor requires its API to be enabled and a template to be created in the GCP Console to define security and responsible AI policies (like DLP and harmful content filtering).

### 4.1 Enable Model Armor API

In [None]:
# Enable the Model Armor API
!gcloud services enable modelarmor.googleapis.com --project={PROJECT_ID}

### 4.2 Manual Step: Create Model Armor Template and DLP Configuration

**Note:** The following steps are typically performed manually in the Google Cloud Console or via the API/gcloud before running this notebook.

1.  **Create Sensitive Data Protection (DLP) Inspection Template** (e.g., ID: `sensitive_data_protection`) in the DLP console.
2.  **Create Model Armor Template** (ID: `glean-poc-template`) in the Model Armor console, linking the DLP template and setting Responsible AI confidence thresholds.

# 5. Stage 1: Cloud Run Deployment

This section clones a sample agent repository, configures the environment variables (including the Model Armor template ID), and deploys the agent as a containerized service using Cloud Run.

In [None]:
CLOUD_RUN_SERVICE_NAME = "capital-agent-service"

# Clone Repository and Prepare Environment
%cd /content/
!rm -rf ai-agent
!git clone https://github.com/avnit/ai-agent.git
%cd ai-agent/

# Create .env file with Model Armor settings for the agent to use
!echo "GOOGLE_CLOUD_PROJECT={PROJECT_ID}" > modelarmor/.env
!echo "GOOGLE_CLOUD_LOCATION={LOCATION}" >> modelarmor/.env
!echo "AIP_ENDPOINT_ID={MODEL_ARMOR_TEMPLATE_ID}" >> modelarmor/.env
!echo "GOOGLE_GENAI_USE_VERTEXAI=true" >> modelarmor/.env

# Deploy to Cloud Run
!gcloud run deploy {CLOUD_RUN_SERVICE_NAME} \
--source . \
--region {LOCATION} \
--project {PROJECT_ID} \
--allow-unauthenticated \
--set-env-vars="GOOGLE_CLOUD_PROJECT={PROJECT_ID},GOOGLE_CLOUD_LOCATION={LOCATION},AIP_ENDPOINT_ID={MODEL_ARMOR_TEMPLATE_ID},GOOGLE_GENAI_USE_VERTEXAI=true"

# 6. Stage 2: Agent Engine Deployment (Permission Denied Scenario)

Vertex AI Agent Engine deployment requires the Vertex AI Custom Code Service Agent to have read/write access to the staging GCS bucket. We will first identify this service account and then simulate a deployment *failure* due to missing permissions.

In [None]:
# Identify the Vertex AI Custom Code Service Account
# This service account requires permissions on the GCS bucket.
SERVICE_AGENT = f"service-{PROJECT_NUMBER}@gcp-sa-aiplatform-customcode.iam.gserviceaccount.com"
print(f"Vertex AI Custom Code Service Account: {SERVICE_AGENT}")

# Clone and Prepare Agent Engine Repository
%cd /content/
!rm -rf ai-agent-deploy-ae
!git clone https://github.com/avnit/ai-agent-deploy-ae/
%cd ai-agent-deploy-ae/labs/AgentEngineDeploy/

# Configure .env for Agent Engine
!echo "GOOGLE_CLOUD_PROJECT={PROJECT_ID}" > .env
!echo "GOOGLE_CLOUD_LOCATION={LOCATION}" >> .env
!echo "AIP_ENDPOINT_ID={MODEL_ARMOR_TEMPLATE_ID}" >> .env
!echo "GOOGLE_GENAI_USE_VERTEXAI=true" >> .env

# --- ATTEMPT DEPLOYMENT (EXPECTED TO FAIL) ---
# The staging bucket permissions for the Service Agent are currently insufficient.

AGENT_DISPLAY_NAME_FAIL = "adk-agent-test-fail"
print("\n--- ATTEMPTING DEPLOYMENT (EXPECTED TO FAIL: 403 Permission Denied) ---")

# The adk deploy command will fail if the service account does not have Storage Object Admin access to the bucket.
!adk deploy agent_engine \
    --project={PROJECT_ID} \
    --region={LOCATION} \
    --staging_bucket={BUCKET} \
    --display_name={AGENT_DISPLAY_NAME_FAIL} \
    .

# The expected output from the `adk deploy` command would be similar to:
# Deploy failed: 403 GET https://storage.googleapis.com/storage/v1/b/... Permission 'storage.buckets.get' denied...

# 7. Stage 3: Fix Permissions and Successful Redeployment

We will now use the `gcloud storage` command to grant the necessary `Storage Object Admin` role (`roles/storage.objectAdmin`) to the Service Agent on the GCS bucket. Once permissions are granted, the redeployment should succeed.

In [None]:
# --- FIXING PERMISSIONS ---
# Grant the required Storage Object Admin role to the Service Account on the GCS bucket
print(f"\n--- FIXING PERMISSIONS ---")
print(f"Granting 'Storage Object Admin' role to {SERVICE_AGENT} on bucket {BUCKET}")

!gcloud storage buckets add-iam-policy-binding {BUCKET} \
--member=serviceAccount:{SERVICE_AGENT} \
--role=roles/storage.objectAdmin \
--project={PROJECT_ID}

# --- REDEPLOYMENT (EXPECTED TO SUCCEED) ---
AGENT_DISPLAY_NAME_SUCCESS = "adk-agent-success"

print("\n--- REDEPLOYMENT (EXPECTED TO SUCCEED) ---")
!adk deploy agent_engine \
    --project={PROJECT_ID} \
    --region={LOCATION} \
    --staging_bucket={BUCKET} \
    --display_name={AGENT_DISPLAY_NAME_SUCCESS} \
    .

# 8. Cleanup

Remove the local cloned directories.

In [None]:
# Navigate back to the content directory and clean up
%cd /content/
!rm -rf ai-agent ai-agent-deploy-ae