Enables querying and managing Google Cloud BigQuery datasets, tables, and schemas with Workload Identity Federation authentication, including executing SQL queries, listing datasets and tables, and retrieving table schema information.
GCP BigQuery MCP Server
Enterprise-grade MCP (Model Context Protocol) server for Google Cloud Platform BigQuery with Workload Identity Federation authentication. Provides secure, keyless access to BigQuery through the Model Context Protocol.
Key Features
Zero Service Account Keys - 100% Workload Identity Federation
Google Workspace Integration - OIDC user authentication
MCP Protocol Compliant - Follows official MCP SDK best practices
Security Middleware - Rate limiting, prompt injection detection, data redaction
Customer-Managed Encryption - CMEK for BigQuery datasets
Comprehensive Audit Logging - 7-year retention for compliance
Terraform Infrastructure - Complete IaC for reproducible deployments
Cloud Run Deployment - Serverless, auto-scaling architecture
OpenTelemetry - Distributed tracing and metrics
Project Structure
Security Architecture
Traditional Approach (Avoided)
Service account keys stored in files/secrets
Permanent credentials that never expire
Manual key rotation required
High risk of credential leakage
Workload Identity Federation (Implemented)
No keys anywhere in the system
1-hour token lifetime with automatic rotation
Attribute-based access for fine-grained control
Complete audit trail for all access
90% reduction in attack surface
Quick Start
Prerequisites
GCP Project with billing enabled
Terraform >= 1.5.0
Node.js >= 18.0.0
Docker (for containerization)
Installation
Local Development
Production Deployment
MCP Tools
The server provides these MCP tools:
Tool | Description |
| Execute SQL queries on BigQuery datasets |
| List all available BigQuery datasets |
| List tables in a specific dataset |
| Get schema information for a table |
Server Capabilities:
Resources: BigQuery datasets listing
Tools: Query execution and schema inspection
Stderr Logging: All logs to stderr (JSON-RPC compatible)
Graceful Shutdown: SIGTERM/SIGINT handling
Architecture
Core Components
Workload Identity Federation - Identity pools for dev/staging/prod with OIDC providers
Security Middleware - Rate limiting, prompt injection detection, SQL injection prevention
BigQuery Integration - Connection pooling, query optimization, dataset discovery
Monitoring - Health checks, OpenTelemetry tracing, Cloud Monitoring integration
Documentation
Document | Description |
Complete guide for local dev, testing, and production | |
System design and component documentation | |
Security middleware and best practices | |
Workload Identity Federation details | |
Full production deployment guide | |
Container configuration | |
Observability setup | |
Complete documentation map |
Testing
Development Commands
CI/CD
GitHub Actions workflow automatically:
Runs tests on pull requests
Builds and pushes Docker image
Deploys to Cloud Run on main branch
Uses Workload Identity Federation (no keys)
Monitoring
Cloud Monitoring: Pre-configured dashboards
Cloud Logging: Structured JSON logs
Cloud Trace: Distributed tracing via OpenTelemetry
Audit Logs: 7-year retention in BigQuery
Alerts: Email/Slack notifications
Compliance
GDPR: Data residency and access logging
HIPAA: Access controls and audit trails
SOC 2: Identity management and monitoring
PCI-DSS: Authentication and authorization
Contributing
Contributions welcome!
Fork the repository
Create a feature branch
Commit your changes
Push to the branch
Open a Pull Request
License
MIT License - see LICENSE for details
Acknowledgments
Built with MCP SDK
Powered by Google Cloud BigQuery
Infrastructure by Terraform
Status: Production Ready Version: 1.0.0 Last Updated: December 2025