gcp-iam-test-project-permissions
Test which permissions your Google Cloud account has on a project to verify access before making API calls or deploying resources.
Instructions
Test which permissions the current caller has on a Google Cloud project
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| project | No | Project ID (defaults to current project) | |
| permissions | Yes | List of permissions to test (e.g., ["resourcemanager.projects.get", "compute.instances.list"]) |
Implementation Reference
- src/services/iam/tools.ts:112-172 (handler)The handler function that implements the tool logic. It tests the specified IAM permissions on the given or current GCP project using the Resource Manager client and returns a formatted markdown response with granted and denied permissions.
async ({ project, permissions }) => { try { const projectId = project || (await getProjectId()); const resourceManager = getResourceManagerClient(); const [response] = await resourceManager.testIamPermissions({ resource: `projects/${projectId}`, permissions, }); const grantedPermissions = response.permissions || []; const deniedPermissions = permissions.filter( (p) => !grantedPermissions.includes(p), ); let result = `# Project IAM Permissions Test\n\nProject: ${projectId}\n\n`; result += `## ✅ Granted Permissions (${grantedPermissions.length})\n\n`; if (grantedPermissions.length > 0) { grantedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*No permissions granted*\n`; } result += `\n## ❌ Denied Permissions (${deniedPermissions.length})\n\n`; if (deniedPermissions.length > 0) { deniedPermissions.forEach((permission) => { result += `- ${permission}\n`; }); } else { result += `*All permissions granted*\n`; } result += `\n**Summary:** ${grantedPermissions.length}/${permissions.length} permissions granted on project ${projectId}\n`; return { content: [ { type: "text", text: result, }, ], }; } catch (error: unknown) { const errorMessage = error instanceof Error ? error.message : "Unknown error"; logger.error(`Error testing project IAM permissions: ${errorMessage}`); return { content: [ { type: "text", text: `# Error Testing Project IAM Permissions\n\nFailed to test IAM permissions on project "${project || "current"}": ${errorMessage}\n\nPlease ensure the project ID is correct and accessible.`, }, ], isError: true, }; } }, - src/services/iam/tools.ts:100-110 (schema)Zod input schema defining the parameters for the tool: optional project ID and array of permissions to test.
inputSchema: { project: z .string() .optional() .describe("Project ID (defaults to current project)"), permissions: z .array(z.string()) .describe( 'List of permissions to test (e.g., ["resourcemanager.projects.get", "compute.instances.list"])', ), }, - src/services/iam/tools.ts:95-95 (registration)The registration of the tool with the MCP server using server.registerTool.
"gcp-iam-test-project-permissions", - src/services/iam/types.ts:166-173 (helper)Helper function that provides a singleton instance of the Google Cloud ResourceManager ProjectsClient used by the tool handler for IAM operations.
export function getResourceManagerClient(): ProjectsClient { if (!resourceManagerClientInstance) { resourceManagerClientInstance = new ProjectsClient({ projectId: process.env.GOOGLE_CLOUD_PROJECT, }); } return resourceManagerClientInstance; }