Managing Environments in GCP CI/CD: Dev, Staging, and Production

What environment management actually means

At its core, environment management is about four things: isolation, promotion, configuration, and safety.

Isolation means that what happens in dev cannot affect prod. Promotion means code travels through environments in a controlled sequence rather than jumping straight to production. Configuration means each environment gets the right values for its context. Safety means a human decision is required before anything reaches real users.

The three environments serve distinct purposes:

• Development is where code gets written and integration-tested. It accepts frequent, unstable deployments. Speed matters more than reliability here.
• Staging is the last check before production. It mirrors production closely enough that any problem visible there would also appear live. If staging is too small or too different from prod, it fails at its only job.
• Production serves real users. Every change requires a deliberate decision, a controlled deployment, and ideally an approval step.

Why environment management matters

Teams that skip environment management do not avoid problems. They just discover them in production. Here are the specific failure modes that proper environment management prevents:

Config drift

Without a clear system, dev and prod end up configured differently over time. A database connection string, a cache timeout, a feature flag. Nobody documents these differences. Eventually something breaks in prod in a way that nobody can reproduce in dev because the environments have silently diverged.

Accidental production deployment

If production deploys automatically on every push to main, any developer can push a half-finished feature directly to users. A single rushed merge becomes a production incident.

Secrets leakage

If dev and prod share a project or a service account, a developer with broad dev access may have access to production secrets. A compromised dev credential then becomes a prod credential.

Schema mismatch

A database migration that runs fine in dev can fail or corrupt data in prod if staging was not tested with representative data and the same migration path. Staging must run the same scripts against a realistic dataset before prod does.

Unrealistic staging

A staging environment running on a micro-tier database with scale-to-zero Cloud Run will not surface cold-start latency, connection pool exhaustion, or memory pressure under realistic concurrency. You get false confidence before every release. See Dev vs Staging vs Production for the concrete configuration differences that matter.

The recommended GCP pattern: one project per environment

The standard approach is three separate GCP projects: my-app-dev, my-app-staging, and my-app-prod. Each project has its own resources, IAM bindings, quotas, billing account, and Terraform state. Nothing crosses project boundaries unless you explicitly configure it to.

What you get from separate projects

• IAM isolation: developers can have broad editor access in dev but read-only or no direct access in prod. Production changes go through the pipeline, not through the console.
• Blast radius reduction: a mistyped terraform destroy in dev cannot touch prod resources. They live in different projects with separate Terraform state files.
• Billing clarity: you can see exactly what each environment costs. Dev is usually much cheaper than prod, and you can set separate budgets and alerts per project.
• Quota separation: a load test or burst of CI builds in dev does not consume prod API quotas or Cloud Run concurrency limits.
• Secrets separation: Secret Manager secrets live in each project. Dev secrets cannot be accessed from the prod project even with a misconfigured IAM binding.
• Audit clarity: Cloud Audit Logs per project means prod changes have their own clean audit trail, separate from dev and staging noise.

How it works in practice

The overall flow follows a simple rule: code moves forward through environments, and each step requires more deliberation than the last.

Step-by-step release flow

1. Feature branch: tests only. A developer opens a pull request. Cloud Build runs tests automatically on every push. Nothing gets deployed until tests pass and the PR is approved.
2. Merge to main: automatic staging deploy. Once the PR merges, Cloud Build deploys the new image to the staging project. This is automatic and intentional. Continuous deployment to staging means there is always visibility into whether main is actually deployable.
3. Staging: validate the release candidate. Automated smoke tests run against the staging URL. The team reviews behaviour manually if the change is significant. Logs and metrics confirm nothing regressed.
4. Production: deliberate promotion. Promotion to production requires an explicit action. Options: push a version tag like v1.4.0, approve a Cloud Deploy rollout, or run a manual release trigger. No automatic push from main to prod.

Build once, promote the same artifact

The Docker image is built once from the commit SHA and pushed to Artifact Registry. The same image SHA that passes staging is the one deployed to production. If you build a new image for the production deployment, you are deploying code that was never tested in staging. The SHA is the guarantee that both environments ran identical software.

Environment-specific configuration

Each environment needs different values: different database URLs, different service sizes, different resource limits. The way you manage this separation determines how maintainable your pipeline is over time.

Non-sensitive configuration: Cloud Build substitutions

For values that are not secrets, define them as substitution variables on each Cloud Build trigger. Each trigger (one per environment) passes different values for the same variable names. The same cloudbuild.yaml works across all environments because only the trigger-level values change:

# Staging trigger: fires on push to main
trigger:
  branch: main
substitutions:
  _ENVIRONMENT: staging
  _PROJECT_ID: my-app-staging
  _REGION: europe-west2

---

# Production trigger: fires on push of v* tag
trigger:
  tag: "v.*"
substitutions:
  _ENVIRONMENT: production
  _PROJECT_ID: my-app-prod
  _REGION: europe-west2

The build file references these variables by name. No environment-specific values appear in the YAML committed to version control:

steps:
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    args:
      - gcloud
      - run
      - deploy
      - api-service
      - --image=europe-west2-docker.pkg.dev/$_PROJECT_ID/api/api:$SHORT_SHA
      - --region=$_REGION
      - --set-env-vars=ENVIRONMENT=$_ENVIRONMENT
      - --project=$_PROJECT_ID

Secrets: Secret Manager with consistent naming

Each environment project has its own Secret Manager instance. Name secrets identically across projects: database-url in my-app-dev and database-url in my-app-prod are separate secrets with separate values, but the same name. The pipeline uses $PROJECT_ID to build the resource path, so the configuration is identical across all environments:

availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/database-url/versions/latest
      env: 'DATABASE_URL'
    - versionName: projects/$PROJECT_ID/secrets/api-key/versions/latest
      env: 'API_KEY'

See Secrets in CI/CD Pipelines for the full availableSecrets syntax and the common mistake of passing secrets as substitution variables, which appear in build logs unredacted.

Infrastructure differences

Infrastructure should stay as similar as possible between staging and production, with only deliberate differences. Acceptable differences: smaller instance counts in staging, a one-tier-lower database, lower max-instances. These save cost without making staging useless as a pre-production gate.

Differences to avoid: scale-to-zero when prod does not scale to zero, missing IAM bindings that exist in prod, different network configurations, or a fundamentally different Cloud Run revision strategy. These stop staging from catching the issues it exists to catch.

Keeping staging and production in sync

Staging is only useful if it closely mirrors production. Environments drift apart over time unless you actively keep them aligned. This drift is slow and invisible until it matters.

What should be identical

• The Docker image SHA being deployed
• Database migration scripts, run in the same order
• Terraform module versions and configuration structure (only variable values differ)
• Application configuration shape: same environment variable names, different values
• Service behaviour expectations: same concurrency settings, same health check paths, same startup behaviour

What may legitimately differ

• Resource sizes: staging can use smaller Cloud SQL tiers and lower Cloud Run min-instances to reduce cost
• Instance counts: staging does not need full production capacity
• Data: staging uses anonymised or synthetic data, never real user data
• On-call: staging does not need an on-call rotation

When to use this pattern

The three-project, branch-based pattern is the right default for most teams building anything that serves real users. It fits well when:

• The product has paying or dependent users
• More than one engineer commits code to the repository
• A production incident has a real cost in user trust, revenue, or on-call time
• Infrastructure is managed with Terraform or another IaC tool
• The application is subject to compliance or audit requirements

When a lighter setup may be acceptable

Personal experiments, prototypes with no real users, and internal tools used only by the team building them may not need the full three-environment setup. A single project with one environment is fine for code that has no impact if it breaks. As soon as real users depend on the service, or as soon as more than one person is committing code, separate the environments and separate the projects.

Separate projects versus a shared project

Some teams start with a single GCP project and name resources by environment: api-dev, api-staging, api-prod all in the same project. This works briefly and then becomes a liability.

The overhead of separate projects is worth it

Three projects instead of one means some additional setup: cross-project IAM for the CI service account, a slightly more complex Terraform directory structure, and separate billing associations. Once configured, this requires no ongoing maintenance beyond what a single shared project would. The isolation you get in exchange is structural, not procedural. It cannot be accidentally bypassed.

A practical example: Cloud Run service release

Here is a complete release path for a Cloud Run service, from a feature branch to production. See CI/CD Pipelines for Cloud Run for the detailed pipeline setup.

1. Branch: feature/add-payments. Developer opens a PR. Cloud Build runs unit and integration tests. The PR cannot merge until tests pass and a reviewer approves.

2. Merge to main. The staging Cloud Build trigger fires. It builds the Docker image, tags it with the commit SHA (for example, api:a1b2c3d), pushes to Artifact Registry in my-app-staging, and deploys to Cloud Run in the staging project.

3. Staging validation. Automated smoke tests run against the staging Cloud Run URL. The team reviews manually if the change is significant. Logs confirm normal behaviour and no regressions.

4. Release tag. A team member pushes a version tag: git tag v1.4.0 && git push —tags. The production Cloud Build trigger fires. It pulls the same image SHA from Artifact Registry and deploys to Cloud Run in my-app-prod.

5. Production deploy. Cloud Run serves the new revision. Monitoring confirms success. If something goes wrong, rollback is a single command pointing Cloud Run traffic back to the previous revision.