Deploy to Cloud Run
Before you begin
Install the Google Cloud CLI.
Set the PROJECT_ID environment variable:
export PROJECT_ID="my-project-id"Initialize gcloud CLI:
gcloud init gcloud config set project $PROJECT_IDMake sure you’ve set up and initialized your database.
You must have the following APIs enabled:
gcloud services enable run.googleapis.com \ cloudbuild.googleapis.com \ artifactregistry.googleapis.com \ iam.googleapis.com \ secretmanager.googleapis.comTo create an IAM account, you must have the following IAM permissions (or roles):
- Create Service Account role (roles/iam.serviceAccountCreator)
To create a secret, you must have the following roles:
- Secret Manager Admin role (roles/secretmanager.admin)
To deploy to Cloud Run, you must have the following set of roles:
- Cloud Run Developer (roles/run.developer)
- Service Account User role (roles/iam.serviceAccountUser)
Note
If you are under a domain restriction organization policy restricting unauthenticated invocations for your project, you will need to access your deployed service as described under Testing private services.
Note
If you are using sources that require VPC-access (such as AlloyDB or Cloud SQL over private IP), make sure your Cloud Run service and the database are in the same VPC network.
Create a service account
Create a backend service account if you don’t already have one:
gcloud iam service-accounts create toolbox-identityGrant permissions to use secret manager:
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:toolbox-identity@$PROJECT_ID.iam.gserviceaccount.com \ --role roles/secretmanager.secretAccessorGrant additional permissions to the service account that are specific to the source, e.g.:
Configure tools.yaml file
Create a tools.yaml file that contains your configuration for Toolbox. For
details, see the
configuration
section.
Deploy to Cloud Run
Upload
tools.yamlas a secret:gcloud secrets create tools --data-file=tools.yamlIf you already have a secret and want to update the secret version, execute the following:
gcloud secrets versions add tools --data-file=tools.yamlSet an environment variable to the container image that you want to use for cloud run:
export IMAGE=us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latestDeploy Toolbox to Cloud Run using the following command:
gcloud run deploy toolbox \ --image $IMAGE \ --service-account toolbox-identity \ --region us-central1 \ --set-secrets "/app/tools.yaml=tools:latest" \ --args="--tools_file=/app/tools.yaml","--address=0.0.0.0","--port=8080" # --allow-unauthenticated # https://cloud.google.com/run/docs/authenticating/public#gcloudIf you are using a VPC network, use the command below:
gcloud run deploy toolbox \ --image $IMAGE \ --service-account toolbox-identity \ --region us-central1 \ --set-secrets "/app/tools.yaml=tools:latest" \ --args="--tools_file=/app/tools.yaml","--address=0.0.0.0","--port=8080" \ # TODO(dev): update the following to match your VPC if necessary --network default \ --subnet default # --allow-unauthenticated # https://cloud.google.com/run/docs/authenticating/public#gcloud
Connecting to Cloud Run
Next, we will use gcloud to authenticate requests to our Cloud Run instance:
Run the
run services proxyto proxy connections to Cloud Run:gcloud run services proxy toolbox --port=8080 --region=us-central1If you are prompted to install the proxy, reply Y to install.
Finally, use
curlto verify the endpoint works:curl http://127.0.0.1:8080
Connecting with Toolbox Client SDK
Next, we will use Toolbox with client SDK:
Run the following to retrieve a non-deterministic URL for the cloud run service:
gcloud run services describe toolbox --format 'value(status.url)'Import and initialize the toolbox client with the URL retrieved above:
from toolbox_langchain import ToolboxClient # Replace with the cloud run service URL generated above toolbox = ToolboxClient("http://$YOUR_URL")from toolbox_llamaindex import ToolboxClient # Replace with the cloud run service URL generated above toolbox = ToolboxClient("http://$YOUR_URL")