Use Case · Google ADK

Your ADK agent manages credentials. Civic makes sure they don't leak.

Google ADK makes building agents easy. Civic keeps API keys out of agent memory, logs, and error traces.

use case / google adk

The agent's error trace included the service account key. The trace went to Cloud Logging.

Just imagine, one day…

You build a Google ADK agent that connects to multiple Google Cloud services. It uses a service account key for authentication. During a tool call, a transient API error triggers an exception.

The stack trace captures the full request context, including the service account credentials. Google Cloud Logging ingests the trace. 20 team members have access to Cloud Logging. The key sits there for weeks until a security scan flags it.

Service account keys in error traces aren't edge cases. They're the default when agents manage their own credentials.

Without credential isolation, error traces become security incidents.

It does things you did not intend

A transient API error dumped the service account key into a stack trace. The trace shipped to Cloud Logging where 20 people can see it.

You cannot prove what happened

Who saw the trace? Was the key copied? Cloud Logging shows access, but the key was visible for weeks before anyone noticed.

You cannot stop it fast enough

Rotating the key means updating every service that uses it. The old key is still in historical logs. Purging logs takes a support ticket.

It gets confused and you never know

Error handling captured the full request context by default. Nobody configured it to redact credentials because nobody expected them in agent memory.

Your ADK agent calls Civic. Credentials stay in Civic, not in your runtime.

Connectivity

One MCP endpoint for Google Cloud services, third-party APIs, and databases. Your ADK agent gets tool access without managing service account keys.

Guardrails

Query BigQuery, read Cloud Storage, call APIs. Credentials never enter the agent runtime. Error traces contain tool names, not keys.

Auditability

Every tool call logged in Civic with full context but without credentials. Errors are traced without exposing authentication details.

Revocation

Revoke access in Civic and the agent loses all tool connections. No key rotation across services. No log scrubbing.

Connect Google ADK through Civic in three steps

Google ADK Agent

Add BigQuery and Cloud Storage.

Scope BigQuery to analytics dataset.

Cloud Storage: read-only.

Done. 2 tools connected:

✓ BigQuery — analytics dataset

✓ Cloud Storage — read-only

Your MCP URL is ready to copy.

Read the docs

The same scenario. Different outcomes.

Without Civic, error traces include credentials. With Civic, credentials never enter the agent runtime.

$ python adk_agent.py --run

[adk] calling BigQuery API...

[bigquery] 503 Service Unavailable

[adk] exception: service_account_key in trace

[cloud-logging] ✘ key visible to 20 people

$ # service account key in logs. weeks to discover.

$ python adk_agent.py --run

[adk] calling BigQuery via Civic...

[bigquery] 503 Service Unavailable

[adk] exception: tool_name=bigquery, no credentials

[cloud-logging] trace ingested — clean

$ # error traced. no credentials exposed.

Ship safer with Civic

We'll help you implement authenticated, scoped, and auditable access without slowing down your build.

Start building Read the docs