Enables deployment of MCP servers to Google Cloud Run with authentication and identity token security
Run an secured MCP Server on Cloud Run
An example MCP server deployable to Cloud Run that is secured by authentication and requires an identity token to access.
Full Codelab tutorial available here: https://codelabs.developers.google.com/codelabs/cloud-run/how-to-deploy-a-secure-mcp-server-on-cloud-run
To run this example
Install dependencies
From the project root directory run the following command:
Authenticate gcloud CLI
Authenticate the gcloud CLI using the following command:
This will trigger an OAuth 2.0 flow and will prompt you to login to your Google account. Log in to your account using your credentials then return to your terminal once completed.
Deploy MCP server to Cloud Run
Set the environment variables related to your GCP project in the set_env.sh script. From the shell terminal run the following to source its variables:
Run the following command to deploy the MCP server to Cloud Run:
Bind Cloud Run: Invoker role to end user account
The --no-allow-unauthenticated flag of the Cloud Run deployment command secures the MCP server by requiring an Authorization header with a valid Bearer <token> is presented to the server to allow traffic through.
Run the following command to give your user account permissions to invoke the MCP server on Cloud Run.
Save your Google Cloud credentials and project number in environment variables for use in the Gemini CLI tool.
You may need to re-run the command to export an ID_TOKEN if the token timteout expires.
Related MCP server: MCP SSE Cloud Run Proxy
Use an MCP Client to use tools on the MCP Server
To test the MCP Server and its authentication requirement, you will need an MCP Client.
To quickly test this setup, you can use the Gemini CLI. To install it you can run the following command from your shell:
This will install the latest Gemini CLI and requires having node package manager (npm) installed.
Configure Gemini CLI settings.json file
To tell the Gemini CLI to use your Cloud Run MCP Server with required Authentication parameters:
Open your Gemini CLI settings file:
Add the zoo-remote server to the list of mcpServers available. Replace the PROJECT_NUMBER and GOOGLE_CLOUD_LOCATION with the settings for your project (if this is your first one, you can copy the settings below).
To retrieve a new token and update your settings file you can run the script update_token.sh to insert the updated token into the MCP server settings.
Use one of the MCP Server's tools
Start the Gemini CLI from your shell:
List MCP tools available to the Gemini CLI (MCP Client):
Ask gemini to find something in the zoo:
You may need to tell the Gemini CLI to allow execution of the MCP tool running on the remote server.
The output should indicate that an MCP server tool defined in server.py was used.