Manage bindings

In Agent Registry, a binding represents a connection between a source agent and a target resource, such as another agent, an MCP server, or an endpoint. By creating bindings, you establish explicit relationships that let your orchestrator agents interact with downstream capabilities.

You use bindings to handle two scenarios:

• Resource connections: You can link a source agent to a target resource, such as another agent, an MCP server, or an endpoint. This scenario lets you map out multi-agent workflows where a primary orchestrator delegates tasks to specialized sub-agents or tools.
• Delegated permissions: You can associate an agent with an auth provider to let your agent connect to external targets or custom tools using its own credentials or on behalf of an individual user. This binding is required if your agent needs to authenticate to remote MCP servers or tools using OAuth tokens or API keys. With bindings, you don't have to manually define auth providers in your code. For detailed instructions, see Create an auth provider binding in this document.

This document describes how to create, view, update, and delete bindings in Agent Registry.

Before you begin

Before you can manage bindings, complete the following:

1. Set up Agent Registry.
2. Register the source and target resources. For more information, see Register services.
3. If you want to configure bindings for delegated permissions, create an auth provider with Agent Identity auth manager. For more information, see Authenticate to tools and resources.
4. To use the gcloud CLI commands in this document, make sure you have set up your Google Cloud CLI environment.

Required roles

To get the permissions that you need to manage bindings in Agent Registry, ask your administrator to grant you the following IAM roles on the project:

• Create, update, and delete bindings: Agent Registry API Admin (roles/agentregistry.admin)
• View bindings: Agent Registry API Viewer (roles/agentregistry.viewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a binding

Create a binding to connect a source agent to a target resource:

gcloud alpha agent-registry bindings create BINDING_NAME \
  --project=PROJECT_ID \
  --location=REGION \
  --display-name="DISPLAY_NAME" \
  --source-identifier="SOURCE_ID" \
  --target-identifier="TARGET_ID"

Replace the following:

• BINDING_NAME: The name you want to give to the binding, for example, my-custom-binding.
• PROJECT_ID: The project ID.
• REGION: The registry region.
• DISPLAY_NAME: The human-readable name that you want to give to your binding, for example, My Custom Binding.
• SOURCE_ID: The identifier of the source agent in Uniform Resource Name (URN) format.
• TARGET_ID: The identifier of the target resource in URN format, such as an MCP server identifier.

Create an auth provider binding

You can associate an agent with an auth provider for delegated permissions. Before you create this binding, you must first create the auth provider with Agent Identity auth manager. For more information, see Authenticate to tools and resources.

When specifying the --auth-provider resource name, you must use your project ID:

gcloud alpha agent-registry bindings create BINDING_NAME \
  --project=PROJECT_ID \
  --location=REGION \
  --display-name="DISPLAY_NAME" \
  --source-identifier="SOURCE_ID" \
  --auth-provider="projects/PROJECT_ID/locations/REGION/connectors/AUTH_PROVIDER_ID"

Replace AUTH_PROVIDER_ID with the ID of your auth provider.

For examples of how to use these bindings in your agent code, see Resolve bindings in your ADK code.

List bindings

List all bindings in a specific location:

gcloud alpha agent-registry bindings list \
  --project=PROJECT_ID \
  --location=REGION

View binding details

Retrieve the details of a single binding:

gcloud alpha agent-registry bindings describe BINDING_NAME \
  --project=PROJECT_ID \
  --location=REGION

Update a binding

Update the parameters of an existing binding, such as its display name or description, using gcloud CLI flags:

gcloud alpha agent-registry bindings update BINDING_NAME \
  --project=PROJECT_ID \
  --location=REGION \
  --display-name="NEW_DISPLAY_NAME"

Delete a binding

To remove a connection between resources, delete the binding record:

gcloud alpha agent-registry bindings delete BINDING_NAME \
  --project=PROJECT_ID \
  --location=REGION

What's next

• Learn how to authenticate to tools and resources using auth provider bindings.
• Learn how to resolve endpoints and build orchestrators using Agent Development Kit (ADK).