Persistent "API Key Not Valid" Error on Cloud Run ...

tedbanks

Description: Despite successful local application functionality and direct curl tests of the Gemini API (using a valid API key), our Cloud Run service consistently reports "API key not valid" errors from the Generative Language API. This prevents AI insight generation in the deployed environment.
Key Findings & Steps Taken:
- Local Success: The application (React frontend, Node.js/Express backend proxying Gemini API) functions perfectly locally in Cloud Shell, with AI insights generating as expected.
- Backend Confirmed Key Loading: Debugging logs (console.log('DEBUG: GEMINI_API_KEY value:', GEMINI_API_KEY);) within the deployed Cloud Run service show that the GEMINI_API_KEY environment variable is correctly populated with the full API key from Secret Manager.
- Direct curl Test Success: A curl command using the exact same API key and gemini-1.5-flash model, directly to the generativelanguage.googleapis.com endpoint, successfully returns AI content.
- Secret Manager Configuration: The gemini-api-key secret is correctly created in Secret Manager, and the Cloud Run service account has the roles/secretmanager.secretAccessor role.
- Model Name Confirmation: The gemini-1.5-flash model is used, which was confirmed available and working via curl.
- Region Agnostic: Deployment attempts in both us-central1 and us-west1 regions exhibit the same "API key not valid" error.
- Base64 Encoding Attempt: To rule out hidden character issues, the API key was Base64-encoded in Secret Manager, and the backend was updated to decode it. This resulted in a new TypeError: Cannot convert argument to a ByteString... within the container, suggesting corruption after Secret Manager injection but before decoding or API call preparation.
- Observed Discrepancy: The API key not valid error is received from Google's Generative Language API only when the call originates from the Cloud Run container, never from local execution or direct curl.

Joy_S

Welcome to Google Cloud Community!

This situation suggests an environment configuration or network access issue specific to the Cloud Run environment. Here are some of the possible causes of the error you are seeing and how to resolve them:

Seeing the API key in console.log is a good sign, but it doesn’t guarantee that the Generative Language API client is using it correctly inside the Node.js app. Cloud Run may handle environment variables or parse them slightly differently compared to a local environment like Cloud Shell. Instead of depending on the client library to automatically use your environment variable, manually pass the API key when creating the Generative Language client. Also, make sure the library version matches between local and Cloud Run — version mismatches can cause weird issues. Finally, just in case, double-check that no encoding problems are affecting the key when read from the environment.
Even though you're calling a Google API, Cloud Run still runs inside Google's infrastructure. If your service is restricted by VPC Service Controls or has limited egress settings, it might block access to generativelanguage.googleapis.com. When that happens, the API can’t reach the endpoint to check the key, which could lead to an “API key not valid” error.

Review VPC Service Controls: If your project uses VPC Service Controls, make sure the generativelanguage.googleapis.com API is allowed. Also, check that your Cloud Run service is properly included within the access perimeter.
Egress Configuration: Look at your Cloud Run network settings. If "Allow all traffic" is selected, you’re likely fine. But if you're routing all traffic through a VPC, confirm that the VPC allows outbound connections to Google APIs.
Using Google’s Internal Network: To improve reliability, consider setting up Private Google Access or using Serverless VPC Access with a VPC that supports it. This routes API calls over Google’s internal network, helping avoid potential external connectivity issues.

The TypeError: Cannot convert argument to a ByteString... after Base64 encoding is an important clue. It indicates that although the key may be correctly retrieved from Secret Manager, there’s likely a formatting or type issue with it right before it’s passed to the API client.

Remove Base64 Encoding: Base64 encoding the API key appears to be causing problems. It's usually not needed unless there’s a specific reason. It's better to store the plain key directly in the Secret Manager.
Check the Data Type: Make sure the API key from process.env.GEMINI_API_KEY is being treated as a string. Environment variables can sometimes be misinterpreted. You can confirm by logging typeof GEMINI_API_KEY before using it in your code.
Watch for Extra Spaces:
Even small issues like leading or trailing spaces in the API key can break authentication. While tools like curl might reveal this, it’s good practice to trim the key in your code

While Cloud Shell closely resembles a deployed environment, there can be small but important differences in how Node.js handles environment variables or networking when running in Cloud Run. You can create a simple Cloud Run service that only initializes the Generative Language API client using the GEMINI_API_KEY from process.env and makes one basic API call (like generating a short message). This helps pinpoint whether the issue is with how the key is being handled in the Cloud Run environment.
It is also possible that the Gemini Model you are using might not be available. As per Google’s documentation the Gemini 1.5 Pro and Gemini 1.5 Flash models are no longer accessible to projects that haven’t previously used them. This includes all newly created projects.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Persistent "API Key Not Valid" Error on Cloud Run Deployment (Gemini API)