Aller au contenu principal
OrbiAds logo — infrastructure AdOps IA pour Google Ad Manager OrbiAds
A2A series · 2 / 4

Deploy a GAM agent and make it
A2A-discoverable

From local to cloud: adk deploy agent_engine, managed auth (Agent Identity connector), the Agent Registry, and an orchestrator that discovers then delegates over A2A. With the self-service "Connect an agent" page.

OA
OrbiAds Engineering
Published June 30, 2026 · 12 min read

In article 1, the GAM agent ran locally and the OAuth connection was proven. Now the step that makes it useful to other agents: deploy it to the cloud and make it A2A-discoverable.

Deploy to Vertex Agent Engine

A single command packages the agent and creates a reasoningEngine resource in Vertex AI Agent Engine (Agent Platform):

adk deploy agent_engine \
  --project=PROJECT_ID --region=us-central1 \
  gam_sentinel

⚙️ Two time-wasting gotchas: install google-cloud-aiplatform[agent_engines] (for vertexai), and pin opentelemetry==1.42.1 (newer versions break ADK).

Agent deployed to Agent Platform
The GAM agent deployed to Agent Platform (Vertex AI Agent Runtime) — google-adk framework, us-central1 region.

Managed auth (Agent Identity connector)

A deployed agent can't open a browser to consent. The clean path is the Agent Identity Auth Manager: a Google-managed 3LO OAuth connector. The user consents once (in the browser), Google stores and refreshes tokens and injects them into the agent — no refresh code to write.

Until a user has consented through the connector, the agent returns Failed to retrieve credential. That's expected — proof the runtime works and that the front door is user authorization, not an agent secret.

Agent Card + Agent Registry

Deployment serves the Agent Card (/.well-known/agent-card.json, seen in article 1) and registers the agent in the Agent Registry — the directory of discoverable agents — as CUSTOM. From there, any other agent can find it and delegate a task to it.

The orchestrator: discover then delegate

This is the real "A2A" moment. An orchestrator (1) discovers the GAM agent via a registry search (registry_search_agents), then (2) delegates to it via a RemoteA2aAgent that reads its card and hands off the task (transfer_to_agent). The reply flows back to the orchestrator. Two agents talking:

A2A inter-agent communication
A2A in action: the orchestrator discovers the agent (registry_search_agents) then delegates to it (transfer_to_agent) → reply.

The "Connect an agent" page

On the OrbiAds side, no need to wire credentials by hand: a self-service page provisions an OAuth client for the agent. You enter a name and the redirect URL; OrbiAds returns a client_id and a secret shown only once.

"Connect an agent" page
"Connect an agent" page: enter a name and the agent's redirect URL.
Agent client created
The client is created: client_id + secret shown once only, copy them immediately.

The client's redirect URL must match the Agent Identity connector callback, otherwise consent fails at runtime. The page shows the exact template to use.

What's next

The agent is deployed, discoverable, and an orchestrator can delegate to it. In article 3, we compose a real multi-agent business case: a forecast and a format recommendation in parallel, merged into an optimization plan.

Further reading

The full code, ready to clone

All 4 agents, the step-by-step tutorial and the examples — on GitHub, MIT licensed.

View the GitHub repo Article 3 — Multi-agent
FAQ

Frequently asked questions

How do I deploy an ADK agent to Vertex Agent Engine?

With the adk deploy agent_engine command. It packages the agent code and creates a reasoningEngine resource in Vertex AI Agent Engine (Agent Platform). Common gotchas: install google-cloud-aiplatform[agent_engines] (for vertexai) and pin opentelemetry==1.42.1 (ADK compatibility).

How does a deployed agent authenticate without a browser?

Via the Agent Identity Auth Manager: a Google-managed 3LO OAuth connector. The user consents once, Google stores and refreshes tokens and injects them into the agent — no refresh code to write. Until a user has consented, the agent returns "Failed to retrieve credential": that is expected behavior, not a bug.

What is the Agent Registry and CUSTOM auto-registration?

The Agent Registry is the directory where agents register to be discovered over A2A. adk deploy automatically registers the agent there (CUSTOM type). Another agent can then find it via a registry search and delegate a task to it.

How does one agent delegate to another over A2A?

The orchestrator discovers the target agent (Agent Registry search), then delegates via a RemoteA2aAgent that reads its Agent Card (/.well-known/agent-card.json) and hands off the task (transfer_to_agent). The reply flows back to the orchestrator.