1. Introduction
Gemini Cloud Assist is a fully featured agent that supports your Google Cloud workloads. The agent is your partner for designing new applications or updating existing ones, deploying and running workloads in Google Cloud, troubleshooting workloads, and optimizing them for cost and performance.
Gemini Cloud Assist improves your ability to respond to unexpected errors and downtime.
What you'll learn
- Deployment: How to deploy a basic backend and database to Google Cloud.
- Debug: How Gemini Cloud Assist automates the investigation and root cause analysis of cloud and code issues.
- Remediation: How Gemini Cloud Assist helps identify fixes based on the root cause.
2. Project setup
Google Account
If you don't already have a personal Google Account, you must create a Google Account.
Use a personal account instead of a work or school account.
Sign-in to the Google Cloud Console
Sign-in to the Google Cloud Console using a personal Google account.
Enable Billing
Set up a personal billing account
If you set up billing using Google Cloud credits, you can skip this step.
To set up a personal billing account, go here to enable billing in the Cloud Console.
Some Notes:
- Completing this lab should cost less than $1 USD in Cloud resources.
- You can follow the steps at the end of this lab to delete resources to avoid further charges.
- New users are eligible for the $300 USD Free Trial.
Create a project (optional)
If you do not have a current project you'd like to use for this lab, create a new project here.
3. Open Cloud Shell Editor
- Click this link to navigate directly to Cloud Shell Editor
- If prompted to authorize at any point today, click Authorize to continue.
- If the terminal doesn't appear at the bottom of the screen, open it:
- Click View
- Click Terminal
- In the terminal, set your project with this command:
gcloud config set project [PROJECT_ID]- Example:
gcloud config set project lab-project-id-example - If you can't remember your project ID, you can list all your project IDs with:
gcloud projects list
- Example:
- You should see this message:
Updated property [core/project].
4. Enable APIs
Enable the following APIs for the application components to deploy, and to use Google Cloud Assist:
In the terminal, enable the APIs:
```bash
gcloud services enable \
container.googleapis.com \
artifactregistry.googleapis.com \
cloudbuild.googleapis.com \
alloydb.googleapis.com \
run.googleapis.com
```
<br>
When the command finishes, you should see an output like the following:
<br>
```console
Operation "operations/acf.p2-176675280136-b03ab5e4-3483-4ebf-9655-43dc3b345c63" finished successfully.
```
5. Prepare the Project
You will create the basic application and deployment in order to test Cloud Assist.
Create the directory
- Open the Cloud Shell Editor, or your developer environment of choice.
- Create a new folder:
mkdir -p ~/gemini-cloud-assist-debug mkdir -p ~/gemini-cloud-assist-debug/auth_issue_demo mkdir -p ~/gemini-cloud-assist-debug/terraform cd ~/gemini-cloud-assist-debug - In the terminal, run the following command to open a Cloud Shell Editor workspace:
cloudshell open-workspace ~/gemini-cloud-assist-debug
Create the files
You will now create the necessary starter files for the application.
- Create the Dockerfile by running the following in the terminal. This file handles the creation of the application container.
cat <<EOF > ~/gemini-cloud-assist-debug/auth_issue_demo/Dockerfile
FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY main.py .
CMD ["gunicorn", "--bind", "0.0.0.0:8080", "main:app"]
EOF
- Create the
main.pyfile by running the following in the terminal. This file contains the application written in Python.
cat <<EOF > ~/gemini-cloud-assist-debug/auth_issue_demo/main.py
import os
import logging
from flask import Flask
from google.cloud.alloydb.connector import Connector
import sqlalchemy
app = Flask(__name__)
# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
# Configuration from Environment Variables
# The fully qualified instance URI: projects/<PROJECT>/locations/<REGION>/clusters/<CLUSTER>/instances/<INSTANCE>
ALLOYDB_URI = os.environ.get("ALLOYDB_URI")
DB_USER = os.environ.get("DB_USER", "auth-debug")
DB_PASS = os.environ.get("DB_PASS", "debug-auth")
DB_NAME = os.environ.get("DB_NAME", "postgres")
USE_PUBLIC_IP = os.environ.get("USE_PUBLIC_IP", "false").lower() == "true"
# Initialize Connector lazily
_connector = None
def get_connector():
global _connector
if _connector is None:
_connector = Connector()
return _connector
def getconn():
connector = get_connector()
ip_type = "PUBLIC" if USE_PUBLIC_IP else "PRIVATE"
conn = connector.connect(
ALLOYDB_URI,
"pg8000",
user=DB_USER,
password=DB_PASS,
db=DB_NAME,
ip_type=ip_type
)
return conn
@app.route("/")
def index():
return "AlloyDB Auth Demo. /connect to test.", 200
@app.route("/connect")
def connect_db():
if not ALLOYDB_URI:
return "FAILURE: ALLOYDB_URI env var is not set.", 500
try:
logger.info(f"Attempting connection to {ALLOYDB_URI} with user {DB_USER}...")
# Create connection pool
pool = sqlalchemy.create_engine(
"postgresql+pg8000://",
creator=getconn,
)
with pool.connect() as db_conn:
# Simple query to validate connection
result = db_conn.execute(sqlalchemy.text("SELECT NOW()")).fetchone()
timestamp = result[0]
msg = f"SUCCESS: Connected to AlloyDB! DB Time: {timestamp}"
logger.info(msg)
return msg, 200
except Exception as e:
logger.exception("Connection failed")
# Return the error to the caller to visualize the auth failure
return f"FAILURE: Connection Error.\nDetails: {str(e)}", 500
if __name__ == "__main__":
app.run(host="0.0.0.0", port=int(os.environ.get("PORT", 8080)))
EOF
- Create the
requirements.txtfile by running the following in the terminal. This file handles Python package requirements.
cat <<EOF > ~/gemini-cloud-assist-debug/auth_issue_demo/requirements.txt
flask==3.1.3
gunicorn==25.3.0
google-cloud-alloydb-connector[pg8000]==1.12.1
sqlalchemy==2.0.49
EOF
- Create the
main.tffile by running the following in the terminal. This file handles Google Cloud resources to be created.
cat <<EOF > ~/gemini-cloud-assist-debug/terraform/main.tf
provider "google" {
project = var.project_id
region = var.region
}
# Enable APIs
locals {
apis = [
"alloydb.googleapis.com",
"run.googleapis.com",
"artifactregistry.googleapis.com",
"compute.googleapis.com",
"geminicloudassist.googleapis.com",
"monitoring.googleapis.com",
"cloudasset.googleapis.com",
"cloudbuild.googleapis.com",
"recommender.googleapis.com",
"appoptimize.googleapis.com"
]
}
resource "random_password" "db_pass" {
count = var.db_password == null ? 1 : 0
length = 16
special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
}
locals {
db_password = var.db_password != null ? var.db_password : random_password.db_pass[0].result
}
resource "google_project_service" "apis" {
for_each = toset(local.apis)
service = each.value
disable_on_destroy = false
}
# Service Account
resource "google_service_account" "auth_demo_sa" {
account_id = var.service_account_name
display_name = "Auth Demo SA"
}
# AlloyDB Cluster
resource "google_alloydb_cluster" "rma_cluster" {
cluster_id = var.cluster_id
location = var.region
# Initial password, managed via variable or generated randomly
initial_user {
password = local.db_password
}
# Use default network as in the manual setup
network_config {
network = "projects/${var.project_id}/global/networks/default"
}
depends_on = [google_project_service.apis["alloydb.googleapis.com"]]
}
# AlloyDB Instance
resource "google_alloydb_instance" "rma_instance_1" {
cluster = google_alloydb_cluster.rma_cluster.name
instance_id = var.instance_id
instance_type = "PRIMARY"
machine_config {
cpu_count = 2
}
network_config {
enable_public_ip = true
}
depends_on = [google_alloydb_cluster.rma_cluster]
}
# Cloud Run Service
resource "google_cloud_run_service" "auth_issue_demo" {
name = var.cloud_run_service_name
location = var.region
template {
spec {
containers {
image = var.cloud_run_image
env {
name = "ALLOYDB_URI"
value = "projects/${var.project_id}/locations/${var.region}/clusters/${var.cluster_id}/instances/${var.instance_id}"
}
env {
name = "DB_USER"
value = "postgres"
}
env {
name = "DB_PASS"
value = local.db_password
}
env {
name = "USE_PUBLIC_IP"
value = "true"
}
}
service_account_name = google_service_account.auth_demo_sa.email
}
}
traffic {
percent = 100
latest_revision = true
}
depends_on = [google_project_service.apis["run.googleapis.com"], google_alloydb_instance.rma_instance_1]
}
# Allow unauthenticated access to Cloud Run service (matching --allow-unauthenticated)
resource "google_cloud_run_service_iam_member" "public_access" {
location = google_cloud_run_service.auth_issue_demo.location
project = google_cloud_run_service.auth_issue_demo.project
service = google_cloud_run_service.auth_issue_demo.name
role = "roles/run.invoker"
member = "allUsers"
}
EOF
- Create the
variables.tffile by running the following in the terminal. This file handles Terraform variables for the Google Cloud resources.
cat <<EOF > ~/gemini-cloud-assist-debug/terraform/variables.tf
variable "project_id" {
description = "The ID of the Google Cloud project."
type = string
}
variable "region" {
description = "The region to deploy resources in."
type = string
default = "us-central1"
}
variable "cluster_id" {
description = "The ID of the AlloyDB cluster."
type = string
default = "rma-cluster"
}
variable "instance_id" {
description = "The ID of the AlloyDB instance."
type = string
default = "rma-instance-1"
}
variable "service_account_name" {
description = "The name of the service account."
type = string
default = "auth-demo-sa"
}
variable "cloud_run_service_name" {
description = "The name of the Cloud Run service."
type = string
default = "auth-issue-demo"
}
variable "cloud_run_image" {
description = "The container image for the Cloud Run service."
type = string
}
variable "db_password" {
description = "The database password. If not provided, a random one will be generated."
type = string
sensitive = true
default = null
}
EOF
- Create the
setup_via_tf.shfile by running the following in the terminal. This file handles Python package requirements.
cat <<EOF > ~/gemini-cloud-assist-debug/setup_via_tf.sh
#!/bin/bash
set -e
# Get script directory and change to project root
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd "$SCRIPT_DIR"
# Load configuration from .env
if [ -f .env ]; then
set -a
source .env
set +a
else
echo "ERROR: .env file not found. Please create one with PROJECT_ID."
exit 1
fi
if [ -z "$PROJECT_ID" ]; then
echo "ERROR: PROJECT_ID is not set in .env file."
exit 1
fi
REGION="us-central1"
CLUSTER_ID="rma-cluster"
INSTANCE_ID="rma-instance-1"
SA_NAME="auth-demo-sa"
SERVICE_NAME="auth-issue-demo"
echo "--- Terraform Setup for Auth Demo ---"
echo "Using Project: $PROJECT_ID"
# Get current Cloud Run image
echo "Fetching current Cloud Run image..."
IMAGE=$(gcloud run services describe $SERVICE_NAME --region=$REGION --project=$PROJECT_ID --format="value(spec.template.spec.containers[0].image)" 2>/dev/null || true)
if [ -z "$IMAGE" ]; then
echo "WARNING: Could not find existing Cloud Run service image."
echo "Using a placeholder image (gcr.io/cloudrun/hello) for initial Terraform apply."
IMAGE="gcr.io/cloudrun/hello"
fi
echo "Found Image: $IMAGE"
cd terraform
# Initialize Terraform
echo "Initializing Terraform..."
terraform init
echo "Formatting Terraform files..."
terraform fmt
echo "Validating Terraform configuration..."
terraform validate
echo "------------------------------------------------"
echo "Applying changes..."
echo "------------------------------------------------"
terraform apply -var="project_id=$PROJECT_ID" -var="cloud_run_image=$IMAGE" -auto-approve
echo "------------------------------------------------"
echo "Building and deploying updated Cloud Run service..."
echo "------------------------------------------------"
gcloud run deploy $SERVICE_NAME \
--source ../auth_issue_demo \
--region $REGION \
--project $PROJECT_ID \
--service-account $SA_NAME@$PROJECT_ID.iam.gserviceaccount.com \
--quiet
EOF
- Run the following command to make the shell script executable:
chmod +x ~/gemini-cloud-assist-debug/setup_via_tf.sh
- Create an
.envfile containing your Google Cloud project ID for deployment. Update theYOUR_PROJECT_IDfield:
cat <<EOF > ~/gemini-cloud-assist-debug/.env
PROJECT_ID=YOUR_PROJECT_ID
USE_PUBLIC_IP=true
EOF
6. Deploy the Application
The application code and Google Cloud resources are ready to deploy. This can take up to 15 minutes.
Run the following command from the terminal:
cd ~/gemini-cloud-assist-debug
./setup_via_tf.sh
While the components deploy, browse the files in Cloud Shell Editor to learn more.
7. Create and debug an error
Now, we will trigger an error from the application. Open Cloud Run on the left pane. Then, click the auth-issue-demo service.
- At the top of the Service details page there is a URL. Copy the URL and open a new browser tab. Paste the URL and add
/connectto it. Your URL will look something like:
https://auth-issue-demo-
- Go to the URL. It may take a few seconds for the Cloud Run instance to start. You will get an error.
- Go back to the Cloud Run Service details page. Click Observability, then click Logs. You will see the logs for the container including an error. If the error log is not available yet, wait a few seconds and refresh the page using the icon on the upper right.
- Click the error log to read more. Click the Investigate icon in the main log's line. Then, click Investigate Log
The Cloud Assist chat pane will open. The investigation takes 2 to 3 minutes to complete.
Once the investigation is completed, you can read the results and recommendations. There is a recommendation to add the proper grant to the service account for Cloud Run to access the AlloyDB instance.
8. Remediate the error
Fix the service account permission error.
- Go to Cloud IAM.
- Click the Grant Access button. In the principal pane, start by typing
auth-demo, and wait for the service account to display. - Next, add the
AlloyDB Clientrole to the service account, then click Save.
This takes up to a minute to propagate.
Once you've waited, go back and refresh the application. You will now see a success message from the AlloyDB database.
9. Congratulations
Congratulations! You have successfully completed this introduction to Cloud Investigations and the process of debugging an application's permissions on Google Cloud.
What's next?
- Explore other guides and examples showcasing how to use Gemini Cloud Assist for different scenarios:
- Review the Gemini Cloud Assist documentation to learn more about its features and capabilities.