GEMINI LABJP
MODEL — Gemma 4 is now available in Google AI Studio and the Gemini APIAGENT — Managed Agents enter public preview, running autonomous agents in isolated sandboxesMODEL — Gemini 3.5 Flash reaches GA for agentic and coding tasksSTUDIO — Google AI Studio adds Workspace integrations and one-click deploy to Cloud RunSTUDIO — You can now build native Android apps in the AI Studio build tabMIGRATE — Gemini Code Assist IDE extensions and CLI ended for individuals on June 18; move to AntigravityMODEL — Gemma 4 is now available in Google AI Studio and the Gemini APIAGENT — Managed Agents enter public preview, running autonomous agents in isolated sandboxesMODEL — Gemini 3.5 Flash reaches GA for agentic and coding tasksSTUDIO — Google AI Studio adds Workspace integrations and one-click deploy to Cloud RunSTUDIO — You can now build native Android apps in the AI Studio build tabMIGRATE — Gemini Code Assist IDE extensions and CLI ended for individuals on June 18; move to Antigravity
Articles/Dev Tools
Dev Tools/2026-07-02Intermediate

After the One-Click Deploy — Hardening an AI Studio Gemini App on Cloud Run for Real Production Use

AI Studio's one-click deploy to Cloud Run gives you a working URL in minutes — but not a production service. A practical checklist for API key storage, authentication, cost ceilings, and observability, with copy-paste gcloud commands.

gemini94ai-studio2cloud-run6deployment3production128gcp

Premium Article

When the one-click deploy to Cloud Run appeared in AI Studio's build tab recently, I tried it on a small Gemini app I had built as little more than an internal tool. A few minutes later I had a public URL and a working app in the browser. As an onboarding experience, it is honestly impressive. But when I went to share that URL with someone, I stopped. Having run a number of Cloud Run services as an indie developer, I know there is a real gap between "there is a URL that works" and "this is fit to be public."

Running gcloud run services describe against the freshly deployed service confirmed the suspicion: several things needed attention. Where does the API key actually live? Can anyone on the internet call this URL? How far will it scale, and is there any ceiling on what it can cost me? And how am I supposed to ship the next change to this thing?

None of those questions matter for a prototype. All of them matter the moment the URL is public. So here is the exact sequence of checks I ran, written up so it can be repeated — the goal being to keep the generated code alive and lift it to an operational standard, rather than throwing it away and starting over.

What the One-Click Deploy Does — and What It Leaves to You

Let's draw the boundary first. The one-click deploy takes care of roughly this much:

  • Building the container and creating the Cloud Run service
  • Issuing a public URL with HTTPS termination
  • Wiring up credentials so the app can call the Gemini API at all

What it cannot decide for you:

  • Who is allowed to call that URL (authentication and authorization)
  • Where your API key and secrets should be managed long-term
  • How much you are willing to pay if traffic exceeds expectations
  • How the generated code will keep being updated

The difference between a prototype and a production service is not features. It is having answers to those four questions. The rest of this piece fills them in, one by one.

Check 1: Find Out Where the API Key Lives

Start here. Right after deployment, your Gemini API key may be sitting directly in an environment variable on the service. Environment variables are visible to anyone who can view the service in the console or run gcloud run services describe, and they get copied forward into every revision.

Since June 19, 2026, the Gemini API rejects requests from unrestricted API keys, so restricting the key is table stakes. I go one step further and treat "the key body lives in Secret Manager" as the minimum bar before anything is shared publicly.

# 1. Create a secret holding the key
printf '%s' "YOUR_GEMINI_API_KEY" | \
  gcloud secrets create gemini-api-key --data-file=-
 
# 2. Grant the Cloud Run service account read access
gcloud secrets add-iam-policy-binding gemini-api-key \
  --member="serviceAccount:my-service-sa@my-project.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"
 
# 3. Replace the inline env var with a secret reference
gcloud run services update my-genai-app \
  --region=asia-northeast1 \
  --remove-env-vars=GEMINI_API_KEY \
  --set-secrets=GEMINI_API_KEY=gemini-api-key:latest

The nice property of step 3: application code still sees a plain GEMINI_API_KEY environment variable, so you change where the key is stored without touching a single line of generated code. You raise the safety floor before you ever have to read, let alone edit, the prototype.

While you are in there, check which service account the service runs as. If it is the default Compute Engine service account, create a dedicated one and switch — otherwise a public-facing service is running with broad access to everything else in your project.

gcloud iam service-accounts create my-service-sa \
  --display-name="genai app runtime"
 
gcloud run services update my-genai-app \
  --region=asia-northeast1 \
  --service-account=my-service-sa@my-project.iam.gserviceaccount.com

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
You can now walk a freshly one-click-deployed Cloud Run service through an ordered checklist that removes its risky defaults and brings it to production grade
You'll take home copy-paste gcloud commands for moving the API key into Secret Manager, closing unauthenticated access, and capping both scaling and spend
You'll be able to decide — with concrete criteria — whether generated prototype code is worth adopting into CI and observability, or better rewritten
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Gemini Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Dev Tools2026-06-30
Tracing Which Prompt Revision Moved Your Quality — Prompt Versioning for a Gemini Pipeline
Editing prompts in place erases the trail: when quality shifts you can't tell whether the model moved or your wording did. Here's a small system that pins prompts by content hash, stamps every generation with the model ID and revision, and bisects a quality drop down to the exact revision boundary, with copy-paste Python.
Dev Tools2026-06-17
Running Gemini Chat History on Redis — Field Notes on Not Losing Conversation State in Production
Keep a Gemini ChatSession in process memory and it evaporates on every redeploy or scale event. Here is how I back it with Redis in production, covering token budgets, concurrent sends, SDK coupling, and graceful degradation, with the code I actually run.
Dev Tools2026-06-15
Building Web Apps with Gemini — Prompt Design and Pitfalls in Google AI Studio
How to structure your prompts when asking Gemini to build web apps in Google AI Studio — and the pitfalls I actually ran into as an indie developer.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →