Used for configuration management, storing database credentials, SSH tunnel settings, and RDS connection information in a secure location outside the repository.
Required runtime environment for the MCP server, specifically version 24 or higher.
Required package manager for installing dependencies and building the MCP server.
Provides read-only access to PostgreSQL databases through tools for executing queries, listing tables, describing schemas, analyzing data quality, finding relationships, and generating query execution plans.
PostgreSQL Read-Only MCP Server
A secure MCP (Model Context Protocol) server that provides read-only access to PostgreSQL databases through an SSH tunnel.
Features
Secure SSH Tunnel: Connects to PostgreSQL through encrypted SSH tunnel
Read-Only Enforcement: All queries run in read-only transactions
Connection Pooling: Efficient database connection management
Query Timeout: 15-second timeout for all operations
Comprehensive Tools: Query, list tables, describe schemas, analyze data
Configuration
Copy the example configuration file:
cp .env.example ~/.pg_mcp/.envEdit
~/.pg_mcp/.env
with your credentials:# PostgreSQL Database Configuration POSTGRES_DB=your_database POSTGRES_USER=readonly_user POSTGRES_PASSWORD=your_password # SSH Tunnel Configuration SSH_HOST=your-ec2-instance.amazonaws.com SSH_USER=ec2-user SSH_KEY_PATH=/path/to/ssh/key # RDS Configuration RDS_HOST=your-database.rds.amazonaws.comCreate a read-only database user:
CREATE USER readonly_mcp WITH PASSWORD 'secure_password'; GRANT CONNECT ON DATABASE your_database TO readonly_mcp; GRANT USAGE ON SCHEMA public TO readonly_mcp; GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_mcp; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_mcp;
Installation
Usage
Start the MCP server:
For development mode with hot reload:
Available MCP Tools
postgres_query
: Execute read-only SQL queriespostgres_list_tables
: List all tables with optional row countspostgres_describe_table
: Get detailed schema informationpostgres_analyze_table
: Analyze table for data quality issuespostgres_find_related
: Find foreign key relationshipspostgres_explain_query
: Get query execution plans
SSH Tunnel Management
The server implements a shared SSH tunnel system:
Multiple instances share a single tunnel
Reference counting prevents premature closure
Automatic reconnection on failure
Lock files in
/tmp/pg_mcp_tunnel/
Monitor tunnel status:
Security
All queries validated for read-only operations
Enforced read-only transactions
15-second query timeout
SSH encryption for all connections
Credentials stored outside repository
Requirements
Node.js v24+
pnpm package manager
PostgreSQL database
SSH access to database server
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
A secure MCP server that enables querying PostgreSQL databases through an SSH tunnel with enforced read-only access, connection pooling, and comprehensive data exploration tools.
Related MCP Servers
- -securityAlicense-qualityAn MCP server that connects to Supabase PostgreSQL databases, exposing table schemas as resources and providing tools for data analysis through SQL queries.Last updated -1MIT License
- -securityAlicense-qualityA template project for building custom MCP servers that enables direct access to PostgreSQL databases, allowing SQL query execution and schema information retrieval through the Model Context Protocol.Last updated -31MIT License
- AsecurityFlicenseAqualityA minimal MCP server that allows executing SQL queries on PostgreSQL databases with configurable read-only or write permissions.Last updated -18
- -securityAlicense-qualityAn MCP server that enables chatting with PostgreSQL databases using secure GitHub authentication for access control between read and write operations.Last updated -237MIT License