Firebase Genkit with Cloud Run

You can deploy Firebase Genkit flows as web services using Cloud Run. This page, as an example, walks you through the process of deploying the default sample flow.

  1. Install the Google Cloud CLI if you haven't already.

  2. Create a new Google Cloud project using the Cloud console or choose an existing one. The project must be linked to a billing account.

    After you create or choose a project, configure the Google Cloud CLI to use it:

    gcloud auth login
    gcloud init
  3. Create a directory for the Genkit sample project:

    mkdir -p ~/tmp/genkit-cloud-project
    cd ~/tmp/genkit-cloud-project

    If you're going to use an IDE, open it to this directory.

  4. Initialize a Go module in your project directory:

    go mod init example/cloudrun
  5. Initialize Genkit in your project:

    genkit init

    Select the model provider you want to use.

    Accept the defaults for the remaining prompts. The genkit tool will create a sample source file to get you started developing your own AI flows. For the rest of this tutorial, however, you'll just deploy the sample flow.

  6. Edit the sample file (main.go or genkit.go) to explicitly specify the port the flow server should listen on:

    if err := genkit.Init(ctx,
    	&genkit.Options{FlowAddr: ":3400"}, // Add this parameter.
    ); err != nil {
    	log.Fatal(err)
    }
    
  7. Make API credentials available to your deployed function. Do one of the following, depending on the model provider you chose:

    Gemini (Google AI)

    1. Make sure Google AI is available in your region.

    2. Generate an API key for the Gemini API using Google AI Studio.

    3. Make the API key available in the Cloud Run environment:

      1. In the Cloud console, enable the Secret Manager API.
      2. On the Secret Manager page, create a new secret containing your API key.
      3. After you create the secret, on the same page, grant your default compute service account access to the secret with the Secret Manager Secret Accessor role. (You can look up the name of the default compute service account on the IAM page.)

      In a later step, when you deploy your service, you will need to reference the name of this secret.

    Gemini (Vertex AI)

    1. In the Cloud console, Enable the Vertex AI API for your project.

    2. On the IAM page, ensure that the Default compute service account is granted the Vertex AI User role.

    The only secret you need to set up for this tutorial is for the model provider, but in general, you must do something similar for each service your flow uses.

  8. Optional: Try your flow in the developer UI:

    1. Set up your local environment for the model provider you chose:

      Gemini (Google AI)

      export GOOGLE_GENAI_API_KEY=<your API key>

      Gemini (Vertex AI)

      export GCLOUD_PROJECT=<your project ID>
      export GCLOUD_LOCATION=us-central1
      gcloud auth application-default login
    2. Start the UI:

      genkit start
    3. In the developer UI (http://localhost:4000/), run the flow:

      1. Click menuSuggestionFlow.

      2. On the Input JSON tab, provide a subject for the model:

        "banana"
        
      3. Click Run.

  9. If everything's working as expected so far, you can build and deploy the flow:

    Gemini (Google AI)

    gcloud run deploy --port 3400 \
      --update-secrets=GOOGLE_GENAI_API_KEY=<your-secret-name>:latest

    Gemini (Vertex AI)

    gcloud run deploy --port 3400 \
      --set-env-vars GCLOUD_PROJECT=<your-gcloud-project> \
      --set-env-vars GCLOUD_LOCATION=us-central1

    (GCLOUD_LOCATION configures the Vertex API region you want to use.)

    Choose N when asked if you want to allow unauthenticated invocations. Answering N will configure your service to require IAM credentials. See Authentication in the Cloud Run docs for information on providing these credentials.

After deployment finishes, the tool will print the service URL. You can test it with curl:

curl -X POST https://<service-url>/menuSuggestionFlow \
  -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
  -H "Content-Type: application/json" -d '"banana"'