This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms, and theAdditional Terms for Generative AI Preview Products. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Model Context Protocol(MCP) standardizes the way AI applications connect to outside data sourcesusing MCP servers and tools.

This document describes how to use the Cloud SQLremote Model Context Protocol (MCP) server to connect toCloud SQL for PostgreSQL from AI applications such asGemini CLI,agent mode in Gemini Code Assist, ClaudeCode, or in AI applications that you're developing.

Cloud SQL remote MCP server and other Google Cloud remote MCPservers have the following features and benefits:

• Simplified, centralized discovery.
• Managed global or regional HTTP endpoints.
• Fine-grained authorization.
• Optional prompt and response security withModel Armor protection.
• Centralized audit logging.

Remote MCP Servers are managed by Google and offer additional security andgovernance controls compared to local MCP Servers provided byCloud SQL for PostgreSQL MCP Toolbox for Databases. For more information about other remoteMCP servers and about the security and governance controls availablefor MCP, seeGoogle Cloud MCP servers overview.

The following sections only apply to the Cloud SQL for PostgreSQLremote MCP server.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

Install thegcloud CLI.

Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector

If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

Install thegcloud CLI.

Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

Required roles

To get the permissions that you need to enable and use the Cloud SQL remote MCP server, ask your administrator to grant you the following IAM roles on the project where you want to enable and use the remote Cloud SQL MCP server:

• Enable remote MCP server for a project:Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
• Make MCP tool calls in a project:MCP Tool User (roles/mcp.toolUser)
• Create, clone, or update a Cloud SQL instance:Cloud SQL Admin (roles/cloudsql.admin)
• Create or update a Cloud SQL user:Cloud SQL Admin (roles/cloudsql.admin)
• Execute SQL queries in Cloud SQL:
  • Cloud SQL Admin (roles/cloudsql.admin)
  • Cloud SQL Studio User (roles/cloudsql.StudioUser)
• Get a Cloud SQL instance or list all Cloud SQL instances in a project:Cloud SQL Viewer (roles/cloudsql.viewer)
• Import data into a Cloud SQL instance:
  • Cloud SQL Admin (roles/cloudsql.admin)
  • Storage Admin (roles/storage.admin)
• List Cloud SQL users:Cloud SQL Viewer (roles/cloudsql.viewer)

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to enable and use the Cloud SQL remote MCP server. To see the exact permissions that are required, expand theRequired permissions section:

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Enable or disable the Cloud SQL MCP server

You can enable the Cloud SQL MCP serverin a project with thegcloud beta services mcp enable command.

Enable the Cloud SQL MCP server in a project

To enable the Cloud SQL MCP server in yourGoogle Cloud project, run the following command:

gcloudbetaservicesmcpenablesqladmin.googleapis.com\--project=PROJECT_ID

Replace the following:

• PROJECT_ID: the Google Cloud project ID.

After you run the command, the Cloud SQL remote MCP server is enabled.

If the Cloud SQL service isn't enabled for yourGoogle Cloud project, then you're prompted to enablethe service before enabling the Cloud SQL remote MCPserver.

If you're using different projects for your client credentials, such as serviceaccount keys, OAuth client ID or API keys, and for hosting your resources, thenyou must enable the Cloud SQL service and theCloud SQL remote MCP server on both projects.

Disable the Cloud SQL MCP server in a project

To disable the Cloud SQL MCP server in yourGoogle Cloud project, run the following command:

gcloudbetaservicesmcpdisablesqladmin.googleapis.com\--project=PROJECT_ID

The Cloud SQL MCP server is disabled for use inyour Google Cloud project.

Configure an MCP client to use the Cloud SQL MCP server

Host programs, such as Claude or the Gemini CLI, can instantiate MCPclients that connect to a single MCP server. A host program can have multipleclients that connect to different MCP servers. To connect to a remote MCP server,the MCP client must know at a minimum the URL of the remote MCP server.

Use the following instructions to configure MCP clients to connect to your remoteCloud SQL MCP server.

General guidance for MCP clients

If your MCP client isn't listed inConfigure an MCP client to use the Cloud SQL MCP server,then you use the following information to connect to a remote MCPserver in your host program or AI application. You are promptedto enter details about the server, such as its name and URL.

For the Cloud SQL remote MCP server, enter the following asrequired:

• Server name: Cloud SQL MCP server
• Server URL orEndpoint: https://sqladmin.googleapis.com/mcp
• Transport: HTTP
• Authentication details: Depending on how you want to authenticate, you canenter your Google Cloud credentials, your OAuth Client IDand secret, or an agent identity and credentials.

For more general guidance, see the following resources:

• Authenticate to MCP servers.
• Configure MCP in an AI application.

Authentication and authorization

Cloud SQL MCP servers use theOAuth 2.0protocol withIdentity and Access Management (IAM)for authentication and authorization. AllGoogle Cloud identitiesare supported for authentication to MCP servers.

The Cloud SQL remote MCP server doesn't accept API keys.

We recommend creating a separate identity for agents using MCP tools so thataccess to resources can be controlled and monitored. For more information onauthentication, seeAuthenticate to MCP servers.

Cloud SQL MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticatedprincipal is authorized to take a specific action on a resource. For moreinformation about OAuth 2.0 scopes at Google, readUsing OAuth 2.0 to access Google APIs.

Cloud SQL has the following MCP tool OAuth scopes:

Additional scopes might be required on the resources accessed during a toolcall. To view a list of scopes required forCloud SQL, seeCloud SQL Admin API.

Available tools

• clone_instance: creates a Cloud SQL instance as a clone of source instance.
• create_instance: initiates the creation of a Cloud SQL instance.
• create_user: creates a database user for a Cloud SQL instance.
• execute_sql: executes any valid SQL statements (DDL, DCL, DQL, DML) on a Cloud SQLinstance.
• get_instance: gets the details of a Cloud SQL instance.
• get_operation: gets the status of a long-running operation in Cloud SQL.
• list_instances: lists all Cloud SQL instances in a project.
• list_users: lists all database users for a Cloud SQL instance.
• import_data: imports data into a Cloud SQL instance from Cloud Storage.
• update_instance: updates supported settings of a Cloud SQL instance.
• update_user: updates a database user for a Cloud SQL instance.

To view additional details of available MCP tools and their descriptions for theCloud SQL remote MCP server, see theCloud SQL MCP reference.

List tools

Use theMCP inspector to list tools, or send atools/list HTTP request directly to the Cloud SQLremote MCP server. Thetools/list method doesn't require authentication.

POST /mcp HTTP/1.1Host: sqladmin.googleapis.comContent-Type: application/json{  "jsonrpc": "2.0",  "method": "tools/list",}

Execute SQL statements

To execute SQL statements, your Cloud SQL instance must meet thefollowing requirements:

• Thedata_api_access setting on the instance must be set to thevalueALLOW_DATA_API. When you create an instanceusing thecreate_instance tool, thedata_api_access isconfigured automatically.

• The Cloud SQL instance must also haveIAM database authentication enabled.Theexecute_sql tool can only use anIAM database authentication user account to run SQL statements. The SQL statements will use theprivileges associated with the IAM database authentication user account.

If the instance isn't configured toALLOW_DATA_API, then use theupdate_instance toolto update the configuration for the instance.

Sample use cases

The following are sample use cases for the Cloud SQLMCP server:

Web application development

A sample use case might be the rapid development of web applications andthe provisioning of Cloud SQL instances as their source database.In this use case, using the Cloud SQL MCP server lets you build a newdatabase and populate it with initial data for a new project usingnatural language.

Sample prompt:

"Create a new PostgreSQL development instance and set up a table called products."

Workflow:

The workflow for setting up a web application might look like the following:

• Provisioning: The agent calls thecreate_instance tool to create a new Cloud SQL instance with development environment-sized specifications.

• Verification: The agent uses theget_operation tool to poll the status of the instance creation operation.

• Connection: When the operation is complete, the agent uses theget_instance tool to retrieve the instance connection metadata.

• Schema setup: When ready, the agent uses theexecute_sql to run theCREATE TABLE products SQL statement.

• Data seeding: The agent usesexecute_sql again to insert initial seed data (DML) into the newly created table.

• Data seeding: When ready, the agent uses theimport_data to import a data file from Cloud Storage of products.

Query a database using natural language

You can query a Cloud SQL database, update records, and make schemaupdates using natural language.

Sample prompt:

"Add a `stock_count` column to the inventory table."

Workflow: The workflow for querying a database with natural language might look like the following.

• Schema migration: The agent callsexecute_sql to run anALTER TABLE statement, adding the newstock_count column to the database schema.

• Validation: The agent usesget_instance to confirm that the instance update has successfully completed.

Sample prompt:

"Show me a list of shoes that are priced above $100 from the inventory table."

Workflow:

• Query execution: The agent callsexecute_sql to run the SQL statement that retrieves the data.

Limitations

The Cloud SQL remote MCP server has the following limitations:

• Thecreate_user tool doesn't support creatinga built-in authentication user with a password.
• If theexecute_sql tool returns a response that'slarger than 10 MB, then the response will be truncated.
• When using theexecute_sql tool, queries that run for longer than 30 secondscan time out.

Optional security and safety configurations

Google Cloud offers an integration with Model Armor for remoteMCP Servers to help you use MCP tools securely.For more information about MCP security and governance, seeAI security and safety.

Model Armor

Model Armor is aGoogle Cloud service designed to enhance the security andsafety of your AI applications. It works by proactively screening LLM promptsand responses, protecting against various risks and supporting responsible AIpractices. Whether you are deploying AI in your cloud environment, or onexternal cloud providers, Model Armor can helpyou prevent malicious input, verify content safety, protect sensitive data,maintain compliance, and enforce your AI safety and security policiesconsistently across your diverse AI landscape.

Model Armor is only available inspecific regional locations. If Model Armor isenabled for a project, and a call to that project comes from an unsupportedregion, then Model Armor makes a cross-regional call.For more information, seeModel Armor locations.

gcloudservicesenablemodelarmor.googleapis.com\--project=PROJECT_ID

1. Set up a Model Armor floor setting with MCP sanitizationenabled. For more information, seeConfigure Model Armor floorsettings.

   Note: If the agent and the MCP server are in different projects, you can create floor settings in both projects (the client project and the resource project). In this case, Model Armor is invoked twice, once for each project.

   See the following example command:

   gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--enable-floor-setting-enforcement=TRUE\--add-integrated-services=GOOGLE_MCP_SERVER\--google-mcp-server-enforcement-type=INSPECT_AND_BLOCK\--enable-google-mcp-server-cloud-logging\--malicious-uri-filter-settings-enforcement=ENABLED\--add-rai-settings-filters='[{"confidenceLevel": "HIGH", "filterType": "DANGEROUS"}]'

   ReplacePROJECT_ID with your Google Cloud projectID.

   Note the following settings:

   • INSPECT_AND_BLOCK: The enforcement type that inspects content for the Google MCP server and blocks prompts andresponses that match the filters.
   • ENABLED: The setting that enables a filter orenforcement.
   • HIGH: The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, thoughlower values might result in more false positives. For more information,seeConfigure floor settings.

2. For your project, enable Model Armor protection for remote MCP servers.

   gcloudbetaservicesmcpcontent-securityaddmodelarmor.googleapis.com--project=PROJECT_ID

   ReplacePROJECT_ID with your Google Cloudproject ID. After you run this command, Model Armor sanitizesall MCP tool calls and responses from the project, regardless of where thecalls and responses originate.

3. To confirm that Google MCP traffic is sent to Model Armor,run the following command:

   gcloudbetaservicesmcpcontent-securityget--project=PROJECT_ID

   ReplacePROJECT_ID with the Google Cloud project ID.

Disable Model Armor in a project

To disable Model Armor on a Google Cloud project, run thefollowing command:

gcloudbetaservicesmcpcontent-securityremovemodelarmor.googleapis.com\--project=PROJECT_ID

ReplacePROJECT_ID with the Google Cloud projectID.

Google MCP traffic won't be scanned by Model Armor for thespecified project.

Disable scanning MCP traffic with Model Armor

If you want to use Model Armor in a project, and you want to stopscanning Google MCP traffic with Model Armor, run the followingcommand:

gcloudmodel-armorfloorsettingsupdate\--full-uri='projects/PROJECT_ID/locations/global/floorSetting'\--remove-integrated-services=GOOGLE_MCP_SERVER

ReplacePROJECT_ID with the Google Cloud projectID.

Model Armor won't scan MCP traffic in the project.

Control MCP use with IAM deny policies

Identity and Access Management (IAM) deny policies help yousecure Google Cloud remote MCP servers. Configure these policies to blockunwanted MCP tool access.

For example, you can deny or allow access based on:

• The principal.
• Tool properties like read-only.
• The application's OAuth client ID.

For more information, seeControl MCP use with Identity and Access Management.

What's next

• Read theCloud SQL MCP tools documentation.
• Learn more aboutMCP.
• Learn about otherremote MCP servers.