This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms, and theAdditional Terms for Generative AI Preview Products. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Model Context Protocol(MCP) standardizes the way large language models (LLMs) and AI applications oragents connect to outside data sources. MCP servers let you use their tools,resources, and prompts to take actions and get updated data from their backendservice.

Local MCP servers typically run on your local machine and use the standard inputand output streams (stdio) for communication between services on the samedevice. Remote MCP servers run on the service's infrastructure and offer an HTTPendpoint to AI applications for communication between the AI MCP client and theMCP server. For more information on MCP architecture, seeMCP architecture.

This document describes how to use the Spannerremote Model Context Protocol (MCP) server to connect toSpanner from AI applications such asGemini CLI,agent mode in Gemini Code Assist, ClaudeCode, or from AI applications you're developing.

For information on the Spanner local MCP server, seeSpanner MCP server on GitHub.

Google and Google Cloud remote MCP servers have the followingfeatures and benefits:

• Simplified, centralized discovery.
• Managed global or regional HTTP endpoints.
• Fine-grained authorization.
• Optional prompt and response security withModel Armor protection.
• Centralized audit logging.

For information about other MCP servers and information about securityand governance controls available for Google Cloud MCP servers,seeGoogle Cloud MCP servers overview.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

Verify that billing is enabled for your Google Cloud project.

1. Enable the Spanner API.

   Roles required to enable APIs

   To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

   Enable the API

   For new projects, the Spanner API is automatically enabled.

Required roles

To get the permissions that you need to enable the Spanner MCP server, ask your administrator to grant you the following IAM roles on the project where you want to enable the Spanner MCP server:

• Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
• Make MCP tool calls:MCP Tool User (roles/mcp.toolUser)
• Use Spanner MCP tools:Cloud Spanner Admin (roles/spanner.admin)

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to enable the Spanner MCP server. To see the exact permissions that are required, expand theRequired permissions section:

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Enable or disable the Spanner MCP server

gcloudbetaservicesmcpenablespanner.googleapis.com\--project=PROJECT_ID

gcloudbetaservicesmcpdisablespanner.googleapis.com\--project=PROJECT_ID

Spanner MCP servers use theOAuth 2.0protocol withIdentity and Access Management (IAM)for authentication and authorization. AllGoogle Cloud identitiesare supported for authentication to MCP servers.

The Spanner remote MCP server doesn't accept API keys.

We recommend creating a separate identity for agents using MCP tools so thataccess to resources can be controlled and monitored. For more information onauthentication, seeAuthenticate to MCP servers.

Spanner MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticatedprincipal is authorized to take a specific action on a resource. For moreinformation about OAuth 2.0 scopes at Google, readUsing OAuth 2.0 to access Google APIs.

Spanner has the following MCP tool OAuth scopes:

For more information about these scopes, seeSpanner API.

Configure an MCP client to use the Spanner MCP server

AI applications and agents, such as Gemini CLI or Claude, caninstantiate an MCP client that connects to a single MCP server. An AIapplication can have multiple clients that connect to different MCP servers. Toconnect to a remote MCP server, the MCP client must know at a minimum the URL ofthe remote MCP server.

In your AI application, look for a way to connect to a remote MCP server. Youare prompted to enter details about the server, such as its name and URL.

For the Spanner MCP server, enter the following asrequired:

• Server name: Spanner MCP server
• Server URL orEndpoint: spanner.googleapis.com/mcp
• Transport: HTTP
• Authentication details: Depending on how you want to authenticate, you canenter your Google Cloud credentials, your OAuth Client IDand secret, or an agent identity and credentials. For more information onauthentication, seeAuthenticate to MCP servers.
• OAuth scope: theOAuth 2.0 scope thatyou want to use when connecting to the SpannerMCP server.

For host specific guidance, see the following:

• Gemini CLI
• Claude.ai

For more general guidance, see the following resources:

• Connect to remote MCP servers.
• Configure MCP in an AI application.

Available tools

MCP Tools that are read-only havethe MCP attributemcp.tool.isReadOnly set totrue. You might want to onlyallow read-only tools in certain environments through yourorganization policy.

To view details of available MCP tools and their descriptions for theSpanner MCP server, see theSpanner MCP reference.

List tools

Use theMCP inspector to list tools, or send atools/list HTTP request directly to the Spannerremote MCP server. Thetools/list method doesn't require authentication.

POST /mcp HTTP/1.1Host: spanner.googleapis.comContent-Type: application/json{  "jsonrpc": "2.0",  "method": "tools/list",}

Sample use cases

The following are sample use cases for the SpannerMCP server.

Application development with Spanner

An application developer can use the Spanner MCP serverto provision resources, create databases, and populate sample data.

Sample prompt: Create a regional Spanner instance in thePROJECT_ID project in theus-central1 regional instanceconfiguration. Create a database for tracking inventory and populate 5 sample products.

ReplacePROJECT_ID with your Google Cloud project ID.

Workflow:

The workflow for developing an application might look like the following:

• The agent calls thecreate_instance tool to provision a newSpanner instance using the specified instance configuration.The agent might invoke theget_operation tool to verify if the instance isready to be used.

• The agent calls thecreate_database tool for creating a new database withthe required schema. The agent might call theget_operation tool to checkthe status of the database creation operation.

• The agent can use a combination ofcreate_session,execute_sql, and thecommit tools to insert sample data.

• Optionally, the agent can call theexecute_sql tool to query and validatethe sample data creation.

Operational insights and database configuration management

Spanner administrators can use the Spanner MCPserver to gather information about Spanner instances anddatabases using tools likelist_instances,get_instance,list_databases,andget_database_ddl.

Sample prompts:

• List all Spanner instances in the current project.
• List all databases in the current Spanner instance.
• Show the schema for the current Spanner database.

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety ofactions that can be taken with MCP tools. To minimize and manage these risks,Google Cloud offers default and customizable policies tocontrol the use of MCP tools in your Google Cloudorganization or project.

For more information about MCP security and governance, seeAI security and safety.

Model Armor

Model Armor is aGoogle Cloud service designed to enhance the security andsafety of your AI applications. It works by proactively screening LLM promptsand responses, protecting against various risks and supporting responsible AIpractices. Whether you are deploying AI in your cloud environment, or onexternal cloud providers, Model Armor can helpyou prevent malicious input, verify content safety, protect sensitive data,maintain compliance, and enforce your AI safety and security policiesconsistently across your diverse AI landscape.

Model Armor is only available inspecific regional locations. If Model Armor isenabled for a project, and a call to that project comes from an unsupportedregion, Model Armor makes a cross-regional call. For more information, seeModel Armor locations.

1. To enable Model Armor on yourGoogle Cloud project, run the followinggcloud CLI command:

   gcloudservicesenablemodelarmor.googleapis.com\--project=PROJECT_ID

   ReplacePROJECT_ID with yourGoogle Cloud project ID.

2. To configure the recommendedfloor settings for Model Armor,run the following gcloud CLI command:

   gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--mcp-sanitization=ENABLED\--malicious-uri-filter-settings-enforcement=ENABLED\--pi-and-jailbreak-filter-settings-enforcement=ENABLED\--pi-and-jailbreak-filter-settings-confidence-level=MEDIUM_AND_ABOVE

   ReplacePROJECT_ID with yourGoogle Cloud project ID.

   Model Armor is configured to scan formalicious URLs andprompt injection and jailbreak attempts.

   For moreinformation about configurable Model Armorfilters, seeModel Armor filters.

3. To add Model Armor as a content securityprovider for MCP services, run the followinggcloud CLI command:

   gcloudbetaservicesmcpcontent-securityaddmodelarmor.googleapis.com\--project=PROJECT_ID

   ReplacePROJECT_ID with theGoogle Cloud project ID.

4. To confirm that MCP traffic is sent toModel Armor, run the following command:

   gcloudbetaservicesmcpcontent-securityget\--project=PROJECT_ID

   ReplacePROJECT_ID with theGoogle Cloud project ID.

Model Armor logging

For information about Model Armor audit andplatform logs, seeModel Armor audit logging.

Disable Model Armor in a project

To disable Model Armor on a Google Cloud project, run thefollowing command:

gcloudbetaservicesmcpcontent-securityremovemodelarmor.googleapis.com\--project=PROJECT_ID

ReplacePROJECT_ID with theGoogle Cloud project ID.

MCP traffic on Google Cloud won't be scanned byModel Armor for the specified project.

Disable scanning MCP traffic with Model Armor

If you still want to use Model Armor in aproject, but you want to stop scanning MCP traffic withModel Armor, then run the following command:

gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--mcp-sanitization=DISABLED

ReplacePROJECT_ID with theGoogle Cloud project ID.

Model Armor won't scan MCP traffic onGoogle Cloud.

Control MCP use with IAM deny policies

Identity and Access Management (IAM) deny policies help yousecure Google Cloud remote MCP servers. Configure these policies to blockunwanted MCP tool access.

For example, you can deny or allow access based on:

• The principal.
• Tool properties like read-only.
• The application's OAuth client ID.

For more information, seeControl MCP use with Identity and Access Management.

What's next

• Read theSpanner MCP reference documentation.
• Learn more aboutGoogle Cloud MCP servers.