feat: enhance agent identity roles and clean up deploy.py (#721)

* feat: enhance agent identity roles and clean up deploy.py

- Add roles for API Registry, logging, and monitoring
- Remove unused agent_config dict
- Consolidate duplicate deployment messages
- Simplify docstring and remove redundant comments

* refactor: consolidate agent identity setup into single function

- Rename grant_agent_identity_roles to setup_agent_identity
- Move agent creation into the function
- Only run on first deployment, not on updates

Author: eliasecchig

agent_starter_pack/deployment_targets/agent_engine/python/{{cookiecutter.agent_directory}}/app_utils/deploy.py

@@ -140,23 +140,24 @@ def print_deployment_success(
 {%- endif %}
 
 
-def grant_agent_identity_roles(agent: Any, project: str) -> None:
-    """Grant required IAM roles to the agent identity principal.
+def setup_agent_identity(client: Any, project: str, display_name: str) -> Any:
+    """Create agent with identity and grant required IAM roles."""
+    click.echo(f"\n🔧 Creating agent identity for: {display_name}")
+    agent = client.agent_engines.create(
+        config={"identity_type": IdentityType.AGENT_IDENTITY}
+    )
 
-    Uses get-modify-set pattern with etag for optimistic concurrency control.
-    The policy object returned by get_iam_policy includes an etag that is
-    automatically validated by set_iam_policy to prevent race conditions.
-    """
     roles = [
         "roles/aiplatform.expressUser",
         "roles/serviceusage.serviceUsageConsumer",
         "roles/browser",
+        "roles/cloudapiregistry.viewer",
+        "roles/logging.logWriter",
+        "roles/monitoring.metricWriter",
     ]
     principal = f"principal://{agent.api_resource.spec.effective_identity}"
-    click.echo(f"\n🔐 Granting IAM roles to agent identity: {principal}")
+    click.echo(f"🔐 Granting IAM roles to: {principal}")
     proj_client = resourcemanager_v3.ProjectsClient()
-    # Policy includes etag for optimistic locking - set_iam_policy will fail
-    # if policy was modified between get and set operations
     policy = proj_client.get_iam_policy(
         request=iam_policy_pb2.GetIamPolicyRequest(resource=f"projects/{project}")
     )
@@ -167,7 +168,8 @@ def grant_agent_identity_roles(agent: Any, project: str) -> None:
             resource=f"projects/{project}", policy=policy
         )
     )
-    click.echo("  ✅ Granted IAM roles")
+    click.echo("  ✅ Agent identity ready")
+    return agent
 
 
 @click.command()
@@ -317,18 +319,22 @@ def deploy_agent_engine_app(
 
     # Log deployment parameters
     click.echo("\n📋 Deployment Parameters:")
-    click.echo(f"  Project: {project}")
-    click.echo(f"  Location: {location}")
-    click.echo(f"  Display Name: {display_name}")
-    click.echo(f"  Min Instances: {min_instances}")
-    click.echo(f"  Max Instances: {max_instances}")
-    click.echo(f"  CPU: {cpu}")
-    click.echo(f"  Memory: {memory}")
-    click.echo(f"  Container Concurrency: {container_concurrency}")
+    params = [
+        ("Project", project),
+        ("Location", location),
+        ("Display Name", display_name),
+        ("Min Instances", min_instances),
+        ("Max Instances", max_instances),
+        ("CPU", cpu),
+        ("Memory", memory),
+        ("Container Concurrency", container_concurrency),
+    ]
     if service_account:
-        click.echo(f"  Service Account: {service_account}")
+        params.append(("Service Account", service_account))
     if agent_identity:
-        click.echo("  Agent Identity: Enabled (Preview)")
+        params.append(("Agent Identity", "Enabled (Preview)"))
+    for name, value in params:
+        click.echo(f"  {name}: {value}")
     if env_vars:
         click.echo("\n🌍 Environment Variables:")
         for key, value in sorted(env_vars.items()):
@@ -388,11 +394,6 @@ def deploy_agent_engine_app(
         resource_limits={"cpu": cpu, "memory": memory},
         identity_type=IdentityType.AGENT_IDENTITY if agent_identity else None,
     )
-
-    agent_config = {
-        "agent": agent_instance,
-        "config": config,
-    }
 {%- else %}
     # Generate class methods spec from register_operations
     class_methods_list = generate_class_methods_from_agent(agent_instance)
@@ -427,22 +428,15 @@ def deploy_agent_engine_app(
         if agent.api_resource.display_name == display_name
     ]
 
-    # Handle agent identity: create empty agent if needed, then grant roles
-    if agent_identity:
-        if not matching_agents:
-            click.echo(f"\n🔧 Creating agent identity for: {display_name}")
-            empty_agent = client.agent_engines.create(
-                config={"identity_type": IdentityType.AGENT_IDENTITY}
-            )
-            matching_agents = [empty_agent]
-        grant_agent_identity_roles(matching_agents[0], project)
+    # Setup agent identity on first deployment
+    if agent_identity and not matching_agents:
+        matching_agents = [setup_agent_identity(client, project, display_name)]
 
     # Deploy the agent (create or update)
+    action = "Updating" if matching_agents else "Creating"
+    click.echo(f"\n🚀 {action} agent: {display_name} (this can take 3-5 minutes)...")
+
     if matching_agents:
-        click.echo(f"\n📝 Updating agent: {display_name}")
-        click.echo(
-            "🚀 Deploying to Vertex AI Agent Engine (this can take 3-5 minutes)..."
-        )
 {%- if cookiecutter.is_adk_live %}
         remote_agent = client.agent_engines.update(
             name=matching_agents[0].api_resource.name,
@@ -455,10 +449,6 @@ def deploy_agent_engine_app(
         )
 {%- endif %}
     else:
-        click.echo(f"\n🚀 Creating new agent: {display_name}")
-        click.echo(
-            "🚀 Deploying to Vertex AI Agent Engine (this can take 3-5 minutes)..."
-        )
 {%- if cookiecutter.is_adk_live %}
         remote_agent = client.agent_engines.create(
             agent=agent_instance,