GCP Billing and Monitoring MCP Server

Instructions

Implementation Reference

• src/services/iam/tools.ts:193-253 (handler)

  Handler function that executes the tool: tests the caller's permissions on a specific GCP resource using ResourceManager.testIamPermissions, formats results as markdown with granted/denied lists.
  async ({ resource, permissions }) => { try { const resourceManager = getResourceManagerClient(); const [response] = await resourceManager.testIamPermissions({ resource, permissions, }); const grantedPermissions = response.permissions || []; const deniedPermissions = permissions.filter( (p) => !grantedPermissions.includes(p), ); let result = `# Resource IAM Permissions Test\n\nResource: ${resource}\n\n`; result += `## ✅ Granted Permissions (${grantedPermissions.length})\n\n`; if (grantedPermissions.length > 0) { grantedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*No permissions granted*\n`; } result += `\n## ❌ Denied Permissions (${deniedPermissions.length})\n\n`; if (deniedPermissions.length > 0) { deniedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*All permissions granted*\n`; } result += `\n**Summary:** ${grantedPermissions.length}/${permissions.length} permissions granted on resource ${resource}\n`; return { content: [ { type: "text", text: result, }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : "Unknown error"; logger.error(`Error testing resource IAM permissions: ${errorMessage}`); return { content: [ { type: "text", text: `# Error Testing Resource IAM Permissions\n\nFailed to test IAM permissions on resource "${resource}": ${errorMessage}\n\nPlease ensure:\n- The resource name is correct and properly formatted\n- The resource exists and is accessible\n- You have the required permissions to test IAM permissions on this resource`, }, ], isError: true, }; } }, );
• src/services/iam/tools.ts:178-192 (schema)

  Input schema defining parameters: 'resource' (string, full GCP resource name) and 'permissions' (array of strings). Uses Zod for validation.
  { title: "Test Resource-Specific IAM Permissions", description: "Test which permissions the current caller has on specific Google Cloud resources", inputSchema: { resource: z .string() .describe( 'The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance")', ), permissions: z .array(z.string()) .describe("List of permissions to test on the resource"), }, },
• src/services/iam/tools.ts:176-254 (registration)

  Registration of the tool via server.registerTool within registerIamTools function.
  server.registerTool( "gcp-iam-test-resource-permissions", { title: "Test Resource-Specific IAM Permissions", description: "Test which permissions the current caller has on specific Google Cloud resources", inputSchema: { resource: z .string() .describe( 'The full resource name (e.g., "projects/my-project/buckets/my-bucket", "projects/my-project/zones/us-central1-a/instances/my-instance")', ), permissions: z .array(z.string()) .describe("List of permissions to test on the resource"), }, }, async ({ resource, permissions }) => { try { const resourceManager = getResourceManagerClient(); const [response] = await resourceManager.testIamPermissions({ resource, permissions, }); const grantedPermissions = response.permissions || []; const deniedPermissions = permissions.filter( (p) => !grantedPermissions.includes(p), ); let result = `# Resource IAM Permissions Test\n\nResource: ${resource}\n\n`; result += `## ✅ Granted Permissions (${grantedPermissions.length})\n\n`; if (grantedPermissions.length > 0) { grantedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*No permissions granted*\n`; } result += `\n## ❌ Denied Permissions (${deniedPermissions.length})\n\n`; if (deniedPermissions.length > 0) { deniedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*All permissions granted*\n`; } result += `\n**Summary:** ${grantedPermissions.length}/${permissions.length} permissions granted on resource ${resource}\n`; return { content: [ { type: "text", text: result, }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : "Unknown error"; logger.error(`Error testing resource IAM permissions: ${errorMessage}`); return { content: [ { type: "text", text: `# Error Testing Resource IAM Permissions\n\nFailed to test IAM permissions on resource "${resource}": ${errorMessage}\n\nPlease ensure:\n- The resource name is correct and properly formatted\n- The resource exists and is accessible\n- You have the required permissions to test IAM permissions on this resource`, }, ], isError: true, }; } }, );
• src/services/iam/types.ts:166-173 (helper)

  Helper function providing singleton Google Cloud ResourceManager (ProjectsClient) instance, used in the handler to call testIamPermissions.
  export function getResourceManagerClient(): ProjectsClient { if (!resourceManagerClientInstance) { resourceManagerClientInstance = new ProjectsClient({ projectId: process.env.GOOGLE_CLOUD_PROJECT, }); } return resourceManagerClientInstance; }
• src/index.ts:202-202 (registration)

  Top-level call to registerIamTools(server), which in turn registers all IAM tools including gcp-iam-test-resource-permissions.
  registerIamTools(server);