What you need
- GCP account (
e2-microis free-tier eligible) gcloudCLI, or the Cloud Console- SSH access from your laptop
- Docker and Docker Compose
- Model auth credentials
- Optional provider credentials (WhatsApp QR, Telegram bot token, Gmail OAuth)
- ~20-30 minutes
Quick path
- Create a GCP project, enable billing and the Compute Engine API
- Create a Compute Engine VM (
e2-small, Debian 12, 20GB) - SSH into the VM, install Docker
- Clone the OpenClaw repository
- Create persistent host directories
- Configure
.envanddocker-compose.yml - Bake required binaries, build, and launch
Install gcloud CLI (or use Console)
Install from cloud.google.com/sdk/docs/install, then:Or do every step below through the Cloud Console web UI instead.
Create a GCP project
Create the VM
| Type | Specs | Cost | Notes |
|---|---|---|---|
| e2-medium | 2 vCPU, 4GB RAM | ~$25/mo | Most reliable for local Docker builds |
| e2-small | 2 vCPU, 2GB RAM | ~$12/mo | Minimum recommended for a Docker build |
| e2-micro | 2 vCPU (shared), 1GB RAM | Free tier eligible | Often fails with Docker build OOM (exit 137) |
SSH into the VM
Install Docker (on the VM)
Clone the OpenClaw repository
Create persistent host directories
Docker containers are ephemeral; all long-lived state must live on the host.
Configure environment variables
Create Set Do not commit this file. It holds container/runtime env such as
.env in the repository root:OPENCLAW_GATEWAY_TOKEN to manage the stable gateway token through
.env; otherwise configure gateway.auth.token before relying on clients
across restarts. If neither is set, OpenClaw uses a runtime-only token for
that startup. Generate a keyring password for GOG_KEYRING_PASSWORD:OPENCLAW_GATEWAY_TOKEN. Stored provider OAuth/API-key auth lives in the
mounted ~/.openclaw/agents/<agentId>/agent/auth-profiles.json.Docker Compose configuration
Create or update
docker-compose.yml:--allow-unconfigured is only for bootstrap convenience, not a substitute for real gateway configuration. Still set auth (gateway.auth.token or password) and a safe bind mode for your deployment.Shared Docker VM runtime steps
Follow the shared runtime guide for the common Docker host flow:
GCP-specific launch notes
If the build fails with Replace
Killed or exit code 137 during pnpm install --frozen-lockfile, the VM is out of memory. Use e2-small at minimum, or e2-medium for more reliable first builds.When binding to LAN (OPENCLAW_GATEWAY_BIND=lan), configure a trusted browser origin before continuing:18789 with your configured port if you changed it.Access from your laptop
Create an SSH tunnel to forward the Gateway port:Open If the UI prompts for shared-secret auth, paste the configured token or
password into Control UI settings (this Docker flow writes a token by
default; use your configured password instead if you switched to password
auth).If Control UI shows See Docker VM Runtime for the shared persistence map and update flow.
http://127.0.0.1:18789/ in your browser.Reprint a clean dashboard link:unauthorized or disconnected (1008): pairing required, approve the browser device:Troubleshooting
SSH connection refused SSH key propagation can take 1-2 minutes after VM creation. Wait and retry. OS Login issues Check your OS Login profile:Killed and exit code 137, the VM was OOM-killed:
Service accounts (security best practice)
For personal use, your default user account works fine. For automation or CI/CD, create a dedicated service account with minimal permissions:Next steps
- Set up messaging channels: Channels
- Pair local devices as nodes: Nodes
- Configure the Gateway: Gateway configuration