Tools

Tools: GCP Hands-on: Deploying OpenAB - Building a Gemini ACP Bridge for Telegram on GCE (2026)

2026-05-02 0 views admin
Tools: GCP Hands-on: Deploying OpenAB - Building a Gemini ACP Bridge for Telegram on GCE (2026)

Background

Deployment Decision: Why GCE instead of Cloud Run?

Practical Steps: Step-by-Step Deployment Process

Step 1: Writing an Automated Startup Script

Step 2: Using gcloud to Create a GCE Instance

Step 3: Configuring the Gemini API Key

Step 4: Using Cloudflare Tunnel to Solve HTTPS Requirements

Blood and Tears in the Migration Process: Technical Summary

Pitfall 2: Hardcoded Configuration Path

Pitfall 3: Security Secret Token Verification Failed

Summary: The Perfect AI Bridging Solution Recently, in order to enable AI coding assistants (such as Claude Code or Gemini CLI) to be used directly on chat platforms, I started researching OpenAB. This is a powerful bridge that can connect Slack, Discord, or Telegram to CLI tools that comply with the ACP (Agent Client Protocol) standard. This article documents the complete practical process of deploying OpenAB on Google Cloud, specifically how to bypass authentication restrictions, handle Telegram's HTTPS requirements, and resolve path and permission issues in containerized deployments. Although Cloud Run is my first choice, when dealing with OpenAB, Google Compute Engine (GCE) is the best solution. There are two reasons: To standardize the deployment, we wrote a setup-openab.sh. Its core task is to install Docker, create persistent directories, and dynamically generate config.toml. The most critical part is the custom Docker Image. Since the official OpenAB image does not necessarily include all AI tools, we install Node.js and @google/gemini-cli on-site through Dockerfile: We chose the e2-medium specification and passed sensitive information (such as Bot Token) through Metadata to avoid hardcoding it in the script. Unlike Kiro, which requires interactive login, gemini-cli can directly read environment variables. We inject the API Key into OpenAB's config.toml to make it run automatically in the background: Telegram Webhook strictly requires HTTPS. Instead of setting up a complex Nginx + SSL, I chose to use Cloudflare Quick Tunnel: During the deployment process, we debugged several times, and here are the three major "pits" summarized: At first, I tried to Pull openabdev/openab from Docker Hub, but it always failed. Finally, I found that the current stable image of the project is placed in GitHub Container Registry (GHCR). OpenAB's Dockerfile expects the configuration file path to be /etc/openab/config.toml. I initially mounted it to /app/config.toml, which caused the container to crash immediately after startup and report an error. Even if the URL is correct, Telegram messages are still rejected by the Gateway. The log shows invalid or missing secret_token. Through this architecture, I successfully built a fully self-hosted, secure, and efficient AI assistant on GCP. It does not rely on expensive subscriptions, but directly utilizes Gemini's API capabilities and uses Telegram as the interaction interface. If you also want to set up a dedicated ACP bridge on the cloud, this combination of GCE + Docker + Cloudflare Tunnel will be the most balanced and stable choice. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

FROM ghcr.io/openabdev/openab:latest USER root RUN apt-get update && apt-get install -y curl && \ curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \ apt-get install -y nodejs && \ npm install -g @google/gemini-cli USER 1000 FROM ghcr.io/openabdev/openab:latest USER root RUN apt-get update && apt-get install -y curl && \ curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \ apt-get install -y nodejs && \ npm install -g @google/gemini-cli USER 1000 FROM ghcr.io/openabdev/openab:latest USER root RUN apt-get update && apt-get install -y curl && \ curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \ apt-get install -y nodejs && \ npm install -g @google/gemini-cli USER 1000 gcloud compute instances create openab-server \ --project=your-project-id \ --zone=asia-east1-b \ --machine-type=e2-medium \ --image-family=debian-11 \ --image-project=debian-cloud \ --metadata-from-file startup-script=setup-openab.sh \ --metadata=tg_bot_token=YOUR_BOT_TOKEN gcloud compute instances create openab-server \ --project=your-project-id \ --zone=asia-east1-b \ --machine-type=e2-medium \ --image-family=debian-11 \ --image-project=debian-cloud \ --metadata-from-file startup-script=setup-openab.sh \ --metadata=tg_bot_token=YOUR_BOT_TOKEN gcloud compute instances create openab-server \ --project=your-project-id \ --zone=asia-east1-b \ --machine-type=e2-medium \ --image-family=debian-11 \ --image-project=debian-cloud \ --metadata-from-file startup-script=setup-openab.sh \ --metadata=tg_bot_token=YOUR_BOT_TOKEN [agent] command = "gemini" args = ["--acp"] env = { GEMINI_API_KEY = "AIzaSy..." } [agent] command = "gemini" args = ["--acp"] env = { GEMINI_API_KEY = "AIzaSy..." } [agent] command = "gemini" args = ["--acp"] env = { GEMINI_API_KEY = "AIzaSy..." } - OpenAB Reference Documentation: https://openabdev.github.io/openab/ - OpenAB Repo: https://github.com/openabdev/openab - Stateful Session: OpenAB will start a child process (such as Gemini CLI) for each conversation thread. These processes must reside for a long time to maintain the conversation context. Cloud Run's automatic scaling mechanism will kill these processes, leading to conversation interruption. - Authentication Persistence: The AI CLI's Token needs to be stored on the local disk. GCE, combined with Persistent Disk, can ensure that the login status does not disappear after restarting. - Run on VM: cloudflared tunnel --url http://localhost:8080. - Get a randomly generated HTTPS URL. - Register Webhook: curl "https://api.telegram.org/bot<TOKEN>/setWebhook?url=<CF_URL>/webhook/telegram&secret_token=<SECRET>" - Solution: You must use ghcr.io/openabdev/openab:latest. - Solution: Correct the Docker Volume mount path to /etc/openab/config.toml. - Reason: openab-gateway generates an internal checksum to prevent illegal requests. - Solution: You must extract the Token from the Gateway container and pass it as the secret_token parameter when setWebhook.

🏷️ Tags

toolsutilitiessecurity toolshandsdeployingopenabbuildinggeminibridgetelegram

More from Tools

Tools: How to Deploy Llama 3.2 1B with Ollama on a $4/Month DigitalOcean Droplet: Sub-$50/Year Edge AI Inference (2026)

Tools: How to Deploy Llama 3.2 1B with Ollama on a $4/Month DigitalOcean Droplet: Sub-$50/Year Edge AI Inference (2026)

2026-05-02 0
Tools: Ultimate Guide: GCP in Action: Building a Persistent AI Assistant with GCE, Hermes Agent, and Telegram

Tools: Ultimate Guide: GCP in Action: Building a Persistent AI Assistant with GCE, Hermes Agent, and Telegram

2026-05-02 0
Tools: I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP) How

Tools: I built a production-ready Wazuh SIEM on Docker (with custom rules for VMware, AWS and GCP) How

2026-05-02 0
Tools: How to Deploy a Node.js App on Heroku in 2026

Tools: How to Deploy a Node.js App on Heroku in 2026

2026-05-02 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views