GCP Infrastructure MCP Server
Provides read-only tools for querying Google Cloud Platform infrastructure, including Compute Engine, Networking, GKE, DNS, Load Balancers, and Cloud Asset Inventory.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@GCP Infrastructure MCP ServerList all compute instances in my project"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
GCP Infrastructure MCP Server
A Model Context Protocol (MCP) server that provides 30+ read-only tools for querying Google Cloud Platform infrastructure. Designed for AI assistants, Terraform workflow support, and any MCP-compatible client.
Each user authenticates with their own base64-encoded GCP service account key — no credentials are stored on the server.
Table of Contents
Related MCP server: MCP GCP DevOps
Features
30+ infrastructure tools covering Compute, Networking, GKE, DNS, Load Balancers, and Cloud Asset Inventory
Multi-tenant — each user provides their own service account key as a Bearer token
SSE transport — works with any MCP client that supports URL + token
Async — GCP API calls run in a thread pool to keep the event loop responsive
Terraform-friendly — fetch real infrastructure state to generate or validate
.tffilesDocker-ready — ship as a single container
Architecture
MCP Client
│
│ Authorization: Bearer <base64_sa_key>
▼
┌──────────────────────────────────────┐
│ main.py (Starlette ASGI app) │
│ ├── GET /sse → SSE stream │
│ ├── POST /messages/ → MCP messages │
│ └── GET /health → health check │
│ │
│ src/auth.py → decode token, set ctx │
│ src/server.py → shared FastMCP instance │
│ │
│ src/tools/compute.py (5 tools) │
│ src/tools/networking.py (17 tools) │
│ src/tools/gke.py (4 tools) │
│ src/tools/regions.py (4 tools) │
│ src/tools/inventory.py (3 tools) │
│ │
│ src/gcp_clients.py → client factories│
└──────────────────────────────────────┘
│
▼
Google Cloud APIs (Compute, Container, DNS, Asset Inventory)Prerequisites
Requirement | Minimum Version |
Python | 3.10+ |
pip | latest |
GCP Service Account | with read-only roles |
Docker (optional) | 20+ |
Installation
Option A — Local (virtualenv)
cd gcpmcp
# Create and activate a virtual environment
python -m venv venv
# Linux / macOS
source venv/bin/activate
# Windows (PowerShell)
.\venv\Scripts\Activate.ps1
# Install dependencies
pip install -r requirements.txtOption B — Docker
docker build -t gcp-mcp-server .Running the Server
Local
python main.pyFlag | Default | Description |
|
| Bind address |
|
| Listen port |
|
|
|
Example:
python main.py --host 127.0.0.1 --port 9000 --log-level debugDocker
docker run -p 8080:8080 gcp-mcp-serverHealth Check
curl http://localhost:8080/health
# {"status":"healthy","server":"gcp-infrastructure-mcp"}Authentication Setup
1. Create a GCP Service Account
PROJECT_ID=your-project-id
# Create the service account
gcloud iam service-accounts create mcp-reader \
--display-name="MCP Infrastructure Reader"
# Grant read-only roles
for ROLE in roles/compute.viewer roles/container.viewer \
roles/dns.reader roles/cloudasset.viewer; do
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:mcp-reader@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="$ROLE"
done
# Download the JSON key
gcloud iam service-accounts keys create sa-key.json \
--iam-account=mcp-reader@${PROJECT_ID}.iam.gserviceaccount.com2. Base64-Encode the Key
Linux / macOS:
TOKEN=$(base64 -w 0 < sa-key.json)
echo "$TOKEN"Windows (PowerShell):
$TOKEN = [Convert]::ToBase64String([IO.File]::ReadAllBytes("sa-key.json"))
Write-Output $TOKEN3. Required IAM Roles
Role | Purpose |
| VMs, disks, VPCs, subnets, firewalls, LBs, routes |
| GKE clusters and node pools |
| Cloud DNS zones and records |
| Cloud Asset Inventory searches |
MCP Client Configuration
Set your MCP client to connect with:
URL:
http://<server-host>:8080/sseToken: the base64-encoded service account key
Example — Generic MCP Client
{
"mcpServers": {
"gcp-infrastructure": {
"url": "http://localhost:8080/sse",
"token": "<BASE64_ENCODED_SERVICE_ACCOUNT_KEY>"
}
}
}Example — Production (HTTPS)
{
"mcpServers": {
"gcp-infrastructure": {
"url": "https://mcp.example.com/sse",
"token": "<BASE64_ENCODED_SERVICE_ACCOUNT_KEY>"
}
}
}Note: Different users can connect simultaneously, each with their own token pointing to a different GCP project.
Available Tools
Compute Engine (5 tools)
Tool | Description |
| List VMs (all zones or specific zone) |
| Get full details of a specific VM |
| List persistent disks |
| List instance templates |
| List available machine types in a zone |
Networking (7 tools)
Tool | Description |
| List VPC networks |
| Get VPC details (peerings, routing) |
| List subnets (all regions or specific) |
| Get subnet details (CIDR, gateway) |
| List firewall rules |
| Get firewall rule details |
| List all routes |
IP Addresses (1 tool)
Tool | Description |
| List reserved / static IPs |
Load Balancers (6 tools)
Tool | Description |
| Regional LB frontends |
| Global HTTP(S)/SSL/TCP LB frontends |
| LB backend services |
| HTTP(S) LB URL routing |
| Classic network LB backends |
| Health checks |
SSL (1 tool)
Tool | Description |
| SSL certificates for HTTPS LBs |
DNS (2 tools)
Tool | Description |
| Cloud DNS managed zones |
| DNS record sets in a zone |
GKE — Google Kubernetes Engine (4 tools)
Tool | Description |
| List GKE clusters |
| Cluster details (networking, add-ons, security) |
| Node pools for a cluster |
| Supported K8s versions & image types |
Regions & Zones (4 tools)
Tool | Description |
| All GCP regions |
| Region details (quotas, zones) |
| All GCP zones |
| Zone details (status, CPU platforms) |
Cloud Asset Inventory (3 tools)
Tool | Description |
| Full-text search across all resources |
| List assets by type |
| Resource counts by type (quick audit) |
Terraform Integration
This server is purpose-built for infrastructure-as-code workflows:
Audit — Use
get_infrastructure_summaryto see what's deployed.Explore — Drill into VPCs, subnets, firewalls, GKE clusters.
Generate — Feed real infrastructure data to an AI to produce accurate
.tffiles.Validate — Compare
terraform planoutput against live state.
Example Workflow
User: "List all VPCs and generate Terraform for them"
AI: → calls list_vpcs → gets 3 VPCs with auto-subnets
→ calls list_subnets → maps CIDRs per region
→ generates google_compute_network + google_compute_subnetwork resourcesAdding New Tools
Pick the right file (
src/tools/compute.py,src/tools/networking.py, etc.) or create a newsrc/tools/<name>.pymodule.Import
mcpfromsrc.serverand credentials helpers fromsrc.auth.Decorate your function with
@mcp.tool().If you create a new module, import it in
main.pyso the tools get registered.
# src/tools/storage.py (example)
from src.server import mcp
from src.auth import get_credentials, get_project_id
from src.gcp_clients import run_sync, format_response
@mcp.tool()
async def list_storage_buckets(project_id=None, max_results=100):
"""List Cloud Storage buckets."""
credentials = get_credentials()
project = project_id or get_project_id()
# ... call GCS API ...Then add to main.py:
import src.tools.storage # noqa: F401Project Structure
gcpmcp/
├── main.py # Entry point — HTTP server + route handlers
├── src/
│ ├── __init__.py
│ ├── server.py # Shared FastMCP instance
│ ├── auth.py # Token decoding + per-session credential mgmt
│ ├── gcp_clients.py # GCP client factories + proto-to-dict helpers
│ └── tools/
│ ├── __init__.py
│ ├── compute.py # Compute Engine tools (5)
│ ├── networking.py # VPC / firewall / DNS / LB tools (17)
│ ├── gke.py # GKE tools (4)
│ ├── regions.py # Region & zone tools (4)
│ └── inventory.py # Cloud Asset Inventory tools (3)
├── requirements.txt # Python dependencies
├── Dockerfile # Container image
└── README.md # This fileSecurity Considerations
Concern | Mitigation |
Token in transit | Use HTTPS (TLS) in production — the Bearer token is a full credential. |
Least privilege | Grant only |
Key rotation | Rotate service account keys regularly; delete unused keys. |
Network access | Restrict the MCP server to trusted networks (VPN, firewall rules). |
Secrets in VCS | Never commit |
Server hardening | Run as a non-root user in Docker; pin dependency versions. |
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/nsachin08/GCPInfraMCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server