Deploy Langfuse on Google Cloud Platform (Cloud Run & Cloud SQL)

Langfuse is open source (MIT licensed core product) and you can deploy it on any platform to add observability, evaluation and prompt management to your LLM applications. Langfuse is configurable via environment variables, you can find the full list of available configuration options in the self-host guide.

The simplest way to deploy Langfuse on Google Cloud Platform is to use Cloud Run for the containerized application and Cloud SQL for the database.

Option 1: UI Deployment

Create Cloud SQL Instance:

1. Open Google Cloud SQL.
2. Click on Create Instance.
3. Choose PostgreSQL and configure the instance according to your requirements.
4. You’ll need the following details:
   • default > user: postgres
   • default > database schema: public
   • setup > password: <password>
   • connection > connection name: <google-cloud-project-id>:<region-id>:<sql-instance-id>

Optionally: Create OAuth Credentials for sign-in with Google

1. Open API Credentials
2. Click “Create Credentials” and then “OAuth Client ID”
3. Choose “Web Application” and then give it an appropriate name
4. Click Create

Create Secrets:

1. Open Secret Manager
2. For each secret needed (at least AUTH_GOOGLE_CLIENT_ID, AUTH_GOOGLE_CLIENT_SECRET, DATABASE_URL, DIRECT_URL, NEXTAUTH_SECRET, NEXTAUTH_URL, and SALT), click “Create Secret” and fill in the name and value.

Notes:

• DATABASE_URL is the connection string to the Cloud SQL instance. postgresql://<user-name>:<password>@localhost/<db-name>/?host=/cloudsql/<google-cloud-project-id>:<region-id>:<sql-instance-id>&sslmode=none&pgbouncer=true
• DIRECT_URL is for database migrations, without &pgbouncer=true, the value should look like this: postgresql://<user-name>:<password>@localhost/<db-name>/?host=/cloudsql/<google-cloud-project-id>:<region-id>:<sql-instance-id>&sslmode=none
• Set NEXTAUTH_URL to http://localhost:3000. This is a placeholder, we’ll update it later.

Deploy on Cloud Run:

1. Open Google Cloud Run.

2. Click on Create Service.

3. Enter the following container image URL: docker.io/langfuse/langfuse:2. We use tag 2 to pin the major version.

4. Configure the service name and region according to your requirements.

5. Select authentication as ‘Allow unauthenticated invocations’, as Langfuse will have its own built-in Authentication that you can use.

6. Choose ‘CPU Allocation and Pricing’ as “CPU is only allocated during request processing” to scale down the instance to 0 when there are no requests.

7. Configure ingress control according to your needs. For most cases, ‘All’ should suffice.

8. “Container(s), Volumes, Networking & Security”:

   • Specify container port as 3000.
   • On “Variables & Secrets” tab, add the required environment variables (see table above): SALT, NEXTAUTH_URL, NEXTAUTH_SECRET, and DATABASE_URL, etc.

9. Scroll all the way down to enable the Cloud SQL connections. Select the created Cloud SQL instance in the dropdown. Context: Your Cloud Run service won’t be assigned a static IP, so you can’t whitelist the ingress IP in Cloud SQL or any other hosted databases. Instead, we use the Google Cloud SQL Proxy.

10. Finally, you can finish deploying the application.

11. While the application is deployed for the first time, you can see how the database migrations are applied in the logs.

12. Once the application is up and running, you can find the Cloud Run service URL on top of the page. Now, choose “Edit and deploy new revision” to update the NEXTAUTH_URL environment variable to the Cloud Run service URL ending in .run.app.

13. Optionally, configure a custom domain for the Cloud Run service.

Troubleshooting: Cloud SQL Connection Issues

If you encounter an error like “Error 403: boss::NOT_AUTHORIZED: Not authorized to access resource” or “Possibly missing permission cloudsql.instances.connect” when deploying the Langfuse container, you may need to grant ‘Cloud SQL Client’ permissions to the relevant service accounts. Here’s how to resolve this:

1. In the Google Cloud search box, search for and select “Service Accounts”.
2. Find the service accounts with names ending in @appspot.gserviceaccount.com and -compute@developer.gserviceaccount.com.
3. In the Google Cloud search box, search for and select “IAM & Admin”.
4. Click “Grant Access”, then “Add Principals”.
5. Enter the name of the first service account you found.
6. Select the “Cloud SQL Client” role and save.
7. Repeat steps 4-6 for the second service account.

After granting these permissions, try redeploying your Cloud Run service. This should resolve any authorization issues related to connecting to your Cloud SQL instance.

Option 2: Cloud Build

Google Cloud Build is GCP’s continuous integration and continuous deployment (CI/CD) service that automates the building, testing, and deployment of your applications. To deploy Langfuse, you can specify your workflow in a cloudbuild.yaml file. Additionally, GCP’s Secret Manager can be used to securely handle sensitive information like DATABASE_URL and NEXTAUTH_SECRET. Below is an example of how to set up a Cloud Build configuration:

# Deployment configuration for Langfuse on Google Cloud Run
substitutions:
  _SERVICE_NAME: langfuse
  _REGION: europe-west1 # Change to your desired region
  _PROJECT_ID: your-project-id # Change to your Google Cloud project ID
  _SQL_INSTANCE_ID: my-cool-db # the name of the cloud sql database you create
 
tags: ["${_PROJECT_ID}", "${_SERVICE_NAME}"]
 
steps:
  # Step to deploy the Docker image to Google Cloud Run
  - name: "gcr.io/cloud-builders/gcloud"
    id: deploy-cloud-run
    entrypoint: bash
    args:
      - "-c"
      - |
        gcloud run deploy ${_SERVICE_NAME} --image docker.io/langfuse/langfuse:2 \
           --region ${_REGION} \
           --project ${_PROJECT_ID} \
           --platform managed \
           --port 3000 \
           --allow-unauthenticated \
           --memory 2Gi \
           --cpu 1 \
           --min-instances 0 \
           --max-instances 3 \
           --set-env-vars HOSTNAME=0.0.0.0 \
           --add-cloudsql-instances=_PROJECT_ID:_REGION:_SQL_INSTANCE_ID \
           --update-secrets AUTH_GOOGLE_CLIENT_ID=AUTH_GOOGLE_CLIENT_ID:latest,AUTH_GOOGLE_CLIENT_SECRET=AUTH_GOOGLE_CLIENT_SECRET:latest,SALT=SALT:latest,NEXTAUTH_URL=NEXTAUTH_URL:latest,NEXTAUTH_SECRET=NEXTAUTH_SECRET:latest,DATABASE_URL=DATABASE_URL:latest,DIRECT_URL=DIRECT_URL:latest

You can submit this build using gcloud build submit in your local console by issuing the below in the same folder as the cloudbuild.yaml file.

To submit this build, use the following command in your local console, in the directory containing the cloudbuild.yaml file:

gcloud builds submit .

For automatic rebuilds upon new commits, set up a Cloud Build Trigger linked to your repository holding the cloudbuild.yaml file. This will redeploy Langfuse whenever changes are pushed to the repository.

Note on AlloyDB

AlloyDB is a fully-managed postgres compatible database offered by Google Cloud Platform that is tuned for better performance for tasks such as analytical queries and in-database embeddings. It is recommend you use it within a Shared VPC with your Cloud Run runtime, which will expose AlloyDB’s private ip address to your application. If you are using it the DB connection string changes slightly:

# ALLOYDB_CONNECTION_STRING
postgresql://<USER>:<PASSWORD>@<ALLOY_DB_PRIVATE_IP>:5432/<ALLOY_DB_DATABASE>/?sslmode=none&pgbouncer=true

# ALLOYDB_DIRECT_URL
postgresql://<USER>:<PASSWORD>@<ALLOY_DB_PRIVATE_IP>:5432/<ALLOY_DB_DATABASE>/?sslmode=none