Tableau MCP Server

# IAM Permission Request - Tableau MCP Cloud Run Service **Date**: November 19, 2025 **Requestor**: Russel Enriquez (russel.enriquez@agilemi.com.au) **Project**: Tableau MCP Server Deployment **Google Cloud Project**: `broker-pulse-gcp` **Service Name**: `tableau-mcp-staging` --- ## Executive Summary I have successfully deployed the Tableau MCP (Model Context Protocol) Server to Google Cloud Run. The service is **deployed and healthy**, but requires an IAM policy update to allow public access to the endpoints. **Current Status**: Service is running but returns 403 Forbidden due to missing IAM policy. **Request**: Either grant me the required IAM permission **OR** run a single command to make the service accessible. --- ## What's Deployed - **Service**: Tableau MCP Server (Staging) - **Purpose**: Provides AI agent access to Tableau Cloud data and dashboards - **Region**: `australia-southeast1` - **Service URL**: `https://tableau-mcp-staging-bh375nkujq-ts.a.run.app` - **Status**: ✅ Deployed and Healthy (all health checks passing) - **Cost**: ~$5-20/month (scale-to-zero enabled) --- ## The Issue When the service was deployed with the `--allow-unauthenticated` flag, the IAM policy could not be automatically set because my account lacks the required permission: ``` ERROR: Permission 'run.services.setIamPolicy' denied on resource 'projects/broker-pulse-gcp/locations/australia-southeast1/services/tableau-mcp-staging' ``` **Result**: The service is running but all endpoints return `403 Forbidden`. --- ## Solution Options ### **Option 1: Grant Me IAM Permission (Recommended for Ongoing Work)** Grant my account the ability to manage Cloud Run IAM policies: ```bash gcloud projects add-iam-policy-binding broker-pulse-gcp \ --member="user:russel.enriquez@agilemi.com.au" \ --role="roles/run.admin" ``` **Benefits**: - I can manage Cloud Run services independently - Can deploy updates without admin intervention - Standard permission for Cloud Run developers **Scope**: `roles/run.admin` includes: - Create/update/delete Cloud Run services - Manage service IAM policies - View logs and metrics --- ### **Option 2: Run Single Command (Quick Fix)** If you prefer not to grant additional permissions, you can run this one command to fix the current issue: ```bash gcloud run services add-iam-policy-binding tableau-mcp-staging \ --region=australia-southeast1 \ --member=allUsers \ --role=roles/run.invoker ``` **Result**: Makes the service publicly accessible (required for the MCP endpoint) **Note**: This will need to be repeated each time I deploy a new Cloud Run service. --- ## Security Considerations ### Is Public Access Safe? **Yes** - This is the standard approach for MCP servers: 1. **API Key Authentication**: The MCP endpoint requires an API key header (`X-API-Key`) for all requests 2. **Encrypted Traffic**: All traffic is over HTTPS 3. **Secrets in Secret Manager**: Credentials are stored securely in Google Secret Manager 4. **No Sensitive Data in Logs**: All logs sanitize sensitive information ### What Will Be Publicly Accessible? - `/health` - Basic health check (returns `{"status":"healthy"}`) - `/ready` - Readiness check with Tableau connectivity status - `/alive` - Liveness check with uptime - `/sse` - MCP endpoint (**requires API key authentication**) The MCP endpoint cannot be used without the API key, which is: - Securely generated (32-character random string) - Stored only in Secret Manager and my secure documentation - Can be rotated at any time --- ## Similar Services in Our Project These services also use public access with API key authentication: - Other MCP servers (Thesus, Forsta) - Data pipeline webhooks - Cloud Run APIs with authentication This is standard practice for serverless APIs. --- ## Technical Details ### Current Service Configuration - **Min Instances**: 0 (scales to zero when idle = no cost) - **Max Instances**: 5 - **CPU**: 1 core - **Memory**: 512Mi - **Timeout**: 300 seconds ### IAM Policy Needed ```yaml Policy Binding: Member: allUsers Role: roles/run.invoker Service: tableau-mcp-staging Region: australia-southeast1 ``` This allows **unauthenticated invocation** of the service, which is required for: 1. Health check endpoints (monitoring) 2. MCP SSE endpoint (with API key authentication) --- ## Impact Assessment ### If Approved - ✅ Service endpoints become accessible - ✅ Can proceed with Phase 7 (Cursor AI integration) - ✅ Can test all 9 MCP tools (list workbooks, views, query data, etc.) - ✅ Development can continue independently ### If Not Approved - ❌ Service remains inaccessible (403 errors) - ❌ Cannot test or use the deployed service - ❌ Cannot integrate with Cursor AI - ❌ Will need admin intervention for every deployment --- ## Timeline **Immediate**: Once IAM policy is updated, the service is immediately usable. **No downtime**: The service is already running, just needs access permissions. --- ## Testing Plan (After IAM Fix) Once access is granted, I will test: 1. **Health Endpoints**: Verify all health checks work 2. **Tableau Connectivity**: Confirm connection to Tableau Cloud 3. **MCP Tools**: Test all 9 tools (workbooks, views, data queries) 4. **Cursor Integration**: Configure Cursor to use the MCP server 5. **Documentation**: Complete Phase 6 and Phase 7 documentation Expected testing time: 30-60 minutes --- ## Commands Summary **For you to run (choose one option):** ### Option 1: Grant Cloud Run Admin Role ```bash gcloud projects add-iam-policy-binding broker-pulse-gcp \ --member="user:russel.enriquez@agilemi.com.au" \ --role="roles/run.admin" ``` ### Option 2: Fix Current Service Only ```bash gcloud run services add-iam-policy-binding tableau-mcp-staging \ --region=australia-southeast1 \ --member=allUsers \ --role=roles/run.invoker ``` **Prerequisites**: Must be run by an account with Project Owner or Cloud Run Admin role. --- ## Verification After running either command, verify success: ```bash # Test health endpoint curl https://tableau-mcp-staging-bh375nkujq-ts.a.run.app/health # Expected output: # {"status":"healthy","timestamp":"2025-11-19T..."} ``` If this works, the IAM policy is correctly set. --- ## Support & Contact If you have any questions about this request: - **Email**: russel.enriquez@agilemi.com.au - **Project Documentation**: `C:\Users\MomentumMedia\.cursor\agile\projects\tableau-mcp-project` - **Deployment Guide**: See `PHASE_6_DEPLOYMENT_SUCCESS.md` --- ## Appendix: Service Deployment Details ### What Was Deployed - **Docker Image**: Multi-stage Node.js 18 Alpine image - **Source**: TypeScript MCP server with Tableau REST API client - **Dependencies**: @modelcontextprotocol/sdk, express, axios, zod - **Build Method**: Cloud Build (automatic) ### Environment Variables Set - `NODE_ENV=staging` - `TABLEAU_SERVER_URL=https://10ay.online.tableau.com` - `TABLEAU_SITE_ID=mymomentumintelligence` - `TABLEAU_TOKEN_NAME=Tableau-MCP-Staging` - `TABLEAU_API_VERSION=3.23` ### Secrets Configured - `tableau-token-staging` - Tableau Personal Access Token - `mcp-api-key-staging` - MCP API Key for authentication ### Health Status - **Ready**: True ✅ - **ConfigurationsReady**: True ✅ - **RoutesReady**: True ✅ Service is healthy and waiting for IAM policy update. --- ## Recommendation **I recommend Option 1** (grant `roles/run.admin`) because: 1. I will be deploying/updating Cloud Run services regularly 2. Standard permission for developers working with Cloud Run 3. Eliminates need for admin intervention on every deployment 4. Aligns with our infrastructure-as-code practices However, **Option 2 works fine** if you prefer tighter permission control. --- **Status**: Awaiting approval and IAM policy update **Priority**: Medium (service deployed, not yet usable) **Estimated Time to Fix**: < 5 minutes Thank you for your consideration! --- **Russel Enriquez** russel.enriquez@agilemi.com.au November 19, 2025