Can I use the GCP free tier to run OpenClaw?

Yes, partially. The e2-micro instance (2 vCPUs, 1 GB RAM) is included in the free tier in us-central1, us-west1, and us-east1. However, 1 GB RAM is tight for OpenClaw and may result in out-of-memory crashes during heavy tasks. The e2-small at ~$12/month is the recommended minimum.

How do I access OpenClaw without exposing it to the internet?

Use an SSH tunnel via gcloud compute ssh. The command 'gcloud compute ssh openclaw-vm -- -L 18789:127.0.0.1:18789' forwards the OpenClaw port to your local machine. No firewall rules or public endpoints are needed.

What happens to my data if the VM restarts?

OpenClaw data is stored in Docker volumes mapped to persistent directories on the boot disk. The boot disk persists across VM restarts and stop/start cycles. Data is only lost if you delete the disk or the VM. For additional safety, set up periodic snapshots.

Can I use Cloud Run or GKE instead of Compute Engine?

Cloud Run is not ideal because OpenClaw requires persistent filesystem state and long-running processes. GKE works but adds significant complexity and cost for a single-instance deployment. Compute Engine gives you the best control-to-simplicity ratio for self-hosting.

How do I monitor resource usage on the VM?

GCP automatically collects basic metrics (CPU, disk, network) visible in the Cloud Console under Monitoring. For memory metrics, install the Ops Agent: 'curl -sSO https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh && sudo bash add-google-cloud-ops-agent-repo.sh --also-install'. This sends memory and process metrics to Cloud Monitoring.

Self-Host OpenClaw on Google Cloud

This guide covers deploying OpenClaw on a Google Cloud Compute Engine instance using Docker. GCP offers competitive pricing, a generous free tier, and straightforward tooling. By the end, you will have OpenClaw running in a Docker container on a Debian VM, accessible through a secure SSH tunnel.

Quick Path

For users comfortable with gcloud:

gcloud init and create or select a project
Enable the Compute Engine API
Create an e2-small instance with Debian 12 and a 20 GB boot disk, no external IP tag for HTTP/HTTPS
SSH in, install Docker and Docker Compose
Create persistent directories, .env, and docker-compose.yml
docker compose up -d
Access via SSH tunnel: gcloud compute ssh openclaw-vm -- -L 18789:127.0.0.1:18789
Open http://localhost:18789

Prerequisites

A Google Cloud account with billing enabled
The Google Cloud CLI installed and initialized
An Anthropic API key
Docker knowledge is helpful but not required

Verify your gcloud installation:

gcloud version

Step 1: Initialize and Configure the Project

If you have not already initialized gcloud, do so now:

gcloud init

Create a dedicated project for OpenClaw (or use an existing one):

gcloud projects create openclaw-hosting --name="OpenClaw Hosting"
gcloud config set project openclaw-hosting

Link a billing account to the project. You can find your billing account ID in the Cloud Console:

gcloud billing projects link openclaw-hosting \
  --billing-account=YOUR_BILLING_ACCOUNT_ID

Step 2: Enable the Compute Engine API

gcloud services enable compute.googleapis.com

This may take a minute the first time. You can verify it is enabled:

gcloud services list --enabled --filter="name:compute.googleapis.com"

Step 3: Create the Compute Engine Instance

Create a VM with Debian 12, an appropriately sized boot disk, and no public-facing HTTP tags:

gcloud compute instances create openclaw-vm \
  --zone=us-central1-a \
  --machine-type=e2-small \
  --image-family=debian-12 \
  --image-project=debian-cloud \
  --boot-disk-size=20GB \
  --boot-disk-type=pd-balanced \
  --metadata=enable-oslogin=TRUE \
  --scopes=default

The instance gets a public IP by default (needed for outbound package downloads), but no firewall rules allow inbound HTTP/HTTPS traffic. SSH access is permitted by the default GCP firewall rules.

Machine Type Comparison

Machine Type	vCPUs	RAM	Monthly Cost	Notes
e2-micro	2 (shared)	1 GB	Free tier eligible	Tight on memory, may OOM
e2-small	2 (shared)	2 GB	~$12/mo	Minimum recommended
e2-medium	2 (shared)	4 GB	~$25/mo	Comfortable headroom
e2-standard-2	2	8 GB	~$49/mo	Heavy workloads

The e2-small is the sweet spot for most users. If you run into out-of-memory issues, resize to e2-medium without downtime using the process described in the troubleshooting section.

Step 4: SSH into the Instance and Install Docker

Connect to the VM:

gcloud compute ssh openclaw-vm --zone=us-central1-a

The first time you connect, gcloud generates SSH keys automatically and propagates them to the instance. This can take 30-60 seconds.

Once connected, install Docker:

# Install prerequisites
sudo apt update
sudo apt install -y ca-certificates curl gnupg

# Add Docker's official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

# Add the Docker repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Install Docker Engine and Compose
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Add your user to the docker group (avoids needing sudo for docker commands)
sudo usermod -aG docker $USER
newgrp docker

Verify Docker is working:

docker run --rm hello-world

Step 5: Set Up OpenClaw with Docker Compose

Create the directory structure for persistent data:

mkdir -p ~/openclaw/data ~/openclaw/workspace
cd ~/openclaw

Create the environment file:

cat > .env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-your-key-here
OPENCLAW_GATEWAY_TOKEN=your-secure-token-here
NODE_ENV=production
EOF

Set restrictive permissions on the env file:

chmod 600 .env

Create the Docker Compose configuration:

cat > docker-compose.yml << 'EOF'
version: "3.8"

services:
  openclaw:
    image: ghcr.io/openclaw/openclaw:latest
    container_name: openclaw
    restart: unless-stopped
    ports:
      - "127.0.0.1:18789:18789"
    env_file:
      - .env
    environment:
      - OPENCLAW_STATE_DIR=/data
      - OPENCLAW_WORKSPACE_DIR=/workspace
    volumes:
      - ./data:/data
      - ./workspace:/workspace
    deploy:
      resources:
        limits:
          memory: 1536M
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:18789/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
EOF

The 127.0.0.1:18789:18789 binding ensures the port is only accessible from localhost, not from the public internet.

Step 6: Start OpenClaw

docker compose up -d

Check that the container is running and healthy:

docker compose ps
docker compose logs -f --tail=50

Wait until you see a log line indicating the server is ready, then press Ctrl+C to stop following logs.

Step 7: Access OpenClaw via SSH Tunnel

From your local machine (not the VM), create an SSH tunnel that forwards the OpenClaw port:

gcloud compute ssh openclaw-vm \
  --zone=us-central1-a \
  -- -L 18789:127.0.0.1:18789 -N

The -N flag tells SSH not to open a shell, just maintain the tunnel. Leave this terminal running.

Open your browser and navigate to:

http://localhost:18789

You now have secure access to OpenClaw without any public-facing endpoints.

Service Account Security

The default Compute Engine service account has broad permissions. For production deployments, create a dedicated service account with minimal privileges:

# Create a restricted service account
gcloud iam service-accounts create openclaw-sa \
  --display-name="OpenClaw VM Service Account"

# Grant only the permissions needed (logging and monitoring)
gcloud projects add-iam-policy-binding openclaw-hosting \
  --member="serviceAccount:openclaw-sa@openclaw-hosting.iam.gserviceaccount.com" \
  --role="roles/logging.logWriter"

gcloud projects add-iam-policy-binding openclaw-hosting \
  --member="serviceAccount:openclaw-sa@openclaw-hosting.iam.gserviceaccount.com" \
  --role="roles/monitoring.metricWriter"

When creating the VM (or updating it), attach this service account instead of the default one:

gcloud compute instances set-service-account openclaw-vm \
  --zone=us-central1-a \
  --service-account=openclaw-sa@openclaw-hosting.iam.gserviceaccount.com \
  --scopes=logging-write,monitoring-write

Updating OpenClaw

To pull the latest version:

gcloud compute ssh openclaw-vm --zone=us-central1-a
cd ~/openclaw
docker compose pull
docker compose up -d

Docker Compose will detect the updated image and recreate the container. Your data in ./data and ./workspace persists across container recreations.

Cost Optimization

Preemptible / Spot VMs

If your OpenClaw usage is intermittent, a Spot VM can save up to 60-91%:

gcloud compute instances create openclaw-vm \
  --zone=us-central1-a \
  --machine-type=e2-small \
  --provisioning-model=SPOT \
  --instance-termination-action=STOP \
  --image-family=debian-12 \
  --image-project=debian-cloud \
  --boot-disk-size=20GB

Spot VMs can be preempted (stopped) by GCP when capacity is needed. The STOP termination action preserves the disk so you can restart manually.

Scheduled Start/Stop

If you only use OpenClaw during work hours:

# Stop the VM (no compute charges while stopped)
gcloud compute instances stop openclaw-vm --zone=us-central1-a

# Start it back up
gcloud compute instances start openclaw-vm --zone=us-central1-a

Automate this with Cloud Scheduler and Cloud Functions, or use the Instance Schedule feature in the GCP Console.

Committed Use Discounts

For predictable, always-on usage, 1-year committed use discounts save ~57% and 3-year discounts save ~70%.

Security Best Practices

No inbound HTTP firewall rules: The VM has no firewall tags allowing HTTP/HTTPS traffic. All access is through SSH tunnels.
OS Login enabled: The enable-oslogin=TRUE metadata flag uses IAM identities for SSH instead of project-wide SSH keys, providing better audit trails and centralized access control.
Least-privilege service account: The custom service account limits what the VM can do within GCP.
Encrypted boot disk: GCP encrypts all data at rest by default using Google-managed keys. For additional control, use Customer-Managed Encryption Keys (CMEK).

Automatic security updates: Enable unattended upgrades on Debian:

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Troubleshooting

SSH key propagation delay

After creating a new VM, gcloud compute ssh may fail for the first 30-60 seconds while OS Login propagates keys. Wait and retry:

# Check instance status first
gcloud compute instances describe openclaw-vm \
  --zone=us-central1-a \
  --format="value(status)"

If it shows RUNNING but SSH still fails, wait another 30 seconds and try again.

Out-of-memory (OOM) crashes

If the Docker container keeps restarting, check for OOM kills:

docker inspect openclaw --format='{{.State.OOMKilled}}'
sudo dmesg | grep -i oom

Resize the machine type without deleting the instance:

# Stop the instance first
gcloud compute instances stop openclaw-vm --zone=us-central1-a

# Change to a larger machine type
gcloud compute instances set-machine-type openclaw-vm \
  --zone=us-central1-a \
  --machine-type=e2-medium

# Restart
gcloud compute instances start openclaw-vm --zone=us-central1-a

Then SSH back in and run docker compose up -d to restart OpenClaw.

OS Login issues

If you get permission denied errors with OS Login:

# Verify your user has the required IAM role
gcloud projects get-iam-policy openclaw-hosting \
  --flatten="bindings[].members" \
  --filter="bindings.members:user:YOUR_EMAIL" \
  --format="table(bindings.role)"

You need at least roles/compute.osLogin (or roles/compute.osAdminLogin for sudo access):

gcloud projects add-iam-policy-binding openclaw-hosting \
  --member="user:your-email@example.com" \
  --role="roles/compute.osAdminLogin"

Docker Compose not found

If docker compose (v2) is not recognized, you may have the older v1 installed:

# Check version
docker compose version

# If that fails, try the v1 syntax
docker-compose version

If neither works, reinstall the Docker Compose plugin:

sudo apt install -y docker-compose-plugin

Cleanup

Remove all resources to stop billing:

# Delete the VM (and its boot disk)
gcloud compute instances delete openclaw-vm \
  --zone=us-central1-a \
  --quiet

# Optionally delete the entire project
gcloud projects delete openclaw-hosting --quiet

Deleting the project removes all resources, firewall rules, service accounts, and billing associations.