PostgreSQL Read-Only MCP Server

A secure MCP (Model Context Protocol) server that provides read-only access to PostgreSQL databases through an SSH tunnel.

Features

Secure SSH Tunnel: Connects to PostgreSQL through encrypted SSH tunnel
Read-Only Enforcement: All queries run in read-only transactions
Connection Pooling: Efficient database connection management
Query Timeout: 15-second timeout for all operations
Comprehensive Tools: Query, list tables, describe schemas, analyze data

Configuration

Copy the example configuration file:
cp .env.example ~/.pg_mcp/.env
Edit ~/.pg_mcp/.env with your credentials:
# PostgreSQL Database Configuration POSTGRES_DB=your_database POSTGRES_USER=readonly_user POSTGRES_PASSWORD=your_password # SSH Tunnel Configuration SSH_HOST=your-ec2-instance.amazonaws.com SSH_USER=ec2-user SSH_KEY_PATH=/path/to/ssh/key # RDS Configuration RDS_HOST=your-database.rds.amazonaws.com
Create a read-only database user:
CREATE USER readonly_mcp WITH PASSWORD 'secure_password'; GRANT CONNECT ON DATABASE your_database TO readonly_mcp; GRANT USAGE ON SCHEMA public TO readonly_mcp; GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_mcp; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_mcp;

Installation

pnpm install
pnpm run build

Usage

Start the MCP server:

./start_mcp.sh

For development mode with hot reload:

./start_mcp.sh dev

Available MCP Tools

postgres_query: Execute read-only SQL queries
postgres_list_tables: List all tables with optional row counts
postgres_describe_table: Get detailed schema information
postgres_analyze_table: Analyze table for data quality issues
postgres_find_related: Find foreign key relationships
postgres_explain_query: Get query execution plans

SSH Tunnel Management

The server implements a shared SSH tunnel system:

Multiple instances share a single tunnel
Reference counting prevents premature closure
Automatic reconnection on failure
Lock files in /tmp/pg_mcp_tunnel/

Monitor tunnel status:

./check_tunnel.sh

Security

All queries validated for read-only operations
Enforced read-only transactions
15-second query timeout
SSH encryption for all connections
Credentials stored outside repository

Requirements

Node.js v24+
pnpm package manager
PostgreSQL database
SSH access to database server

This server cannot be installed

security - not tested

license - not found

quality - not tested

How are these scores calculated?

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

A secure MCP server that enables querying PostgreSQL databases through an SSH tunnel with enforced read-only access, connection pooling, and comprehensive data exploration tools.

Related MCP Servers

Supabase MCP Server
stefanraath3
-
security
A
license
-
quality
An MCP server that connects to Supabase PostgreSQL databases, exposing table schemas as resources and providing tools for data analysis through SQL queries.
Last updated -
1
JavaScript
MIT License
Simple PostgreSQL MCP Server
NetanelBollag
-
security
A
license
-
quality
A template project for building custom MCP servers that enables direct access to PostgreSQL databases, allowing SQL query execution and schema information retrieval through the Model Context Protocol.
Last updated -
30
Python
MIT License
MySQL MCP Server
vitalyDV
-
security
F
license
-
quality
An MCP server that allows working with MySQL databases by providing tools for executing read-only SQL queries, getting table schemas, and listing database tables.
Last updated -
685
2
JavaScript
Simple PostgreSQL MCP Server
perrypixel
A
security
F
license
A
quality
A minimal MCP server that allows executing SQL queries on PostgreSQL databases with configurable read-only or write permissions.
Last updated -
1
6
TypeScript

View all related MCP servers

PostgreSQL Read-Only MCP Server