Install the gcloud CLI

The Google Cloud CLI is how you create resources, deploy code, and stream logs from your terminal. It's a single download.

# macOS (with Homebrew)
brew install --cask gcloud-cli
 
# Linux (one-liner installer)
curl https://sdk.cloud.google.com | bash
exec -l $SHELL
 
# Windows: download the installer
# https://cloud.google.com/sdk/docs/install

Verify it landed:

gcloud --version

You should see Google Cloud SDK ... and a version number. If gcloud is not found, restart your terminal and try again.

Log In

Two logins. They are not the same.

# 1. Log in your CLI user (lets you run `gcloud` commands)
gcloud auth login
 
# 2. Log in your Application Default Credentials (lets Python code on your laptop
#    call Google APIs as you, without baking a key into the code)
gcloud auth application-default login

Both will pop a browser. Sign in with your Google account each time. ADC (Application Default Credentials) is the one that matters for the Python code we write later — when you run python ingest.py on your laptop, it picks up your ADC token automatically.

Create a Project

A project is GCP's billing and isolation boundary. Everything we create lives in one project. Delete the project, everything goes with it.

# Pick a globally unique project ID. Lowercase, hyphens, numbers, 6-30 chars.
export PROJECT_ID="my-rag-$(date +%s)"
 
gcloud projects create $PROJECT_ID --name="My RAG App"
gcloud config set project $PROJECT_ID

That $(date +%s) is just a cheap way to add a unique suffix — project IDs must be unique across all of Google Cloud, so plain my-rag will probably collide.

Cloud SQL and Vertex AI need a billing account attached, even when you're well inside the free tier. List your billing accounts:

gcloud billing accounts list

You should see at least one with OPEN: True. Grab the ACCOUNT_ID (it looks like 01ABCD-EFGH12-IJKL34):

gcloud billing projects link $PROJECT_ID --billing-account=YOUR_BILLING_ACCOUNT_ID

If you don't have a billing account yet, the CLI will print a URL to create one. New Google Cloud accounts come with $300 in free credits over 90 days — plenty for this blueprint and then some.

Enable the APIs

GCP doesn't enable APIs by default. You opt in per project:

gcloud services enable \
  sqladmin.googleapis.com \
  aiplatform.googleapis.com \
  run.googleapis.com \
  secretmanager.googleapis.com \
  cloudbuild.googleapis.com \
  artifactregistry.googleapis.com

What each one is for:

APIUsed for
sqladmin.googleapis.comCreating and managing the Cloud SQL Postgres instance
aiplatform.googleapis.comVertex AI — embeddings and Gemini
run.googleapis.comCloud Run — deploying the FastAPI service
secretmanager.googleapis.comStoring the DB connection name and any secrets
cloudbuild.googleapis.comCloud Build — builds the container when we deploy
artifactregistry.googleapis.comWhere the built container image gets stored

This step takes ~30 seconds to a couple of minutes. If you see [OK] after each one, you're good.

Pick a Region

We're going to put everything in one region so the DB and the service can talk over Google's private network for free. Pick whichever is closest to you:

# US central — good default
export REGION="us-central1"
 
# Or: us-east1, europe-west1, asia-southeast1, etc.
# Full list: gcloud compute regions list

Stash that as an env var. Every command for the rest of the blueprint will reference $REGION.

Verify Your Setup

gcloud config list

You should see something like:

[core]
account = you@gmail.com
project = my-rag-1716580000
 
Your active configuration is: [default]

And one quick health check that ADC is working:

gcloud auth application-default print-access-token | head -c 40
echo

If you get a long string of characters (the start of a token), Python on your laptop can now authenticate to Google APIs as you. We use that in Step 4.

A Note on Cleanup

If you ever want to nuke everything you created in this blueprint:

gcloud projects delete $PROJECT_ID

That single command removes the SQL instance, the secrets, the Cloud Run service, the container images — everything billed to that project ID. Worth knowing it exists before you forget what you stood up.

What You Have Now

  • A gcloud CLI logged into your account
  • Application Default Credentials set up so Python can call Google APIs as you
  • A fresh project with billing linked
  • Six APIs enabled
  • A region picked

Next step: stand up the database.

Reference: Install gcloud CLI · Application Default Credentials · Project lifecycle · Free tier overview