Skip to main content
Glama
enesjakozh
henihaddad

GCP MCP

by henihaddad
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

get_role_permissions

Retrieve detailed IAM role information, including permissions, for roles in GCP. Specify a role name or project ID for custom roles to analyze access controls systematically.

Instructions

    Get detailed information about an IAM role, including its permissions.
    
    Args:
        role_name: The name of the role (e.g., "roles/compute.admin" or "projects/my-project/roles/myCustomRole")
        project_id: Optional project ID for custom roles. Not needed if role_name is fully qualified.
    
    Returns:
        Detailed information about the IAM role

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
project_idNo
role_nameYes

Implementation Reference

  • src/gcp_mcp/gcp_modules/iam/tools.py:123-173 (handler)
    The core handler function for the 'get_role_permissions' MCP tool. It resolves the role name, fetches the role using IAMClient.get_role, extracts details like title, description, permissions list, stage, and ETag, then formats and returns them. Includes input validation via type hints and docstring, and error handling.
        @mcp.tool()
    def get_role_permissions(role_name: str, project_id: Optional[str] = None) -> str:
        """
        Get detailed information about an IAM role, including its permissions.
        
        Args:
            role_name: The name of the role (e.g., "roles/compute.admin" or "projects/my-project/roles/myCustomRole")
            project_id: Optional project ID for custom roles. Not needed if role_name is fully qualified.
        
        Returns:
            Detailed information about the IAM role
        """
        try:
            from google.cloud import iam_v1
            
            # Initialize the IAM client
            client = iam_v1.IAMClient()
            
            # If project_id is provided and role_name doesn't include it, create fully qualified role name
            if project_id and not role_name.startswith("projects/") and not role_name.startswith("roles/"):
                role_name = f"projects/{project_id}/roles/{role_name}"
            elif not role_name.startswith("projects/") and not role_name.startswith("roles/"):
                role_name = f"roles/{role_name}"
            
            # Get role details
            request = iam_v1.GetRoleRequest(name=role_name)
            role = client.get_role(request=request)
            
            details = []
            details.append(f"Name: {role.name}")
            details.append(f"Title: {role.title}")
            details.append(f"Description: {role.description or 'No description'}")
            
            if role.included_permissions:
                permissions_str = "\n".join([f"- {permission}" for permission in role.included_permissions])
                details.append(f"Permissions ({len(role.included_permissions)}):\n{permissions_str}")
            else:
                details.append("Permissions: None")
            
            if hasattr(role, 'stage'):
                details.append(f"Stage: {role.stage}")
            
            if hasattr(role, 'etag'):
                details.append(f"ETag: {role.etag}")
            
            return f"""
IAM Role Details for {role.name}:
{chr(10).join(details)}
"""
        except Exception as e:
            return f"Error getting role permissions: {str(e)}"
  • src/gcp_mcp/server.py:35-36 (registration)
    Top-level registration call for the IAM tools module in the MCP server, which includes the get_role_permissions tool. This invokes the module's register_tools function to add all IAM-related tools to the MCP instance.
    # Register IAM tools
iam_tools.register_tools(mcp)
  • src/gcp_mcp/server.py:7-7 (registration)
    Import of the IAM tools module aliased as iam_tools, enabling its register_tools to be called for registering get_role_permissions and other IAM tools.
    from .gcp_modules.iam import tools as iam_tools

Tool Definition Quality

B3.1/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden. It states this is a 'get' operation, implying read-only behavior, but doesn't disclose other traits like authentication requirements, rate limits, error conditions, or what 'detailed information' includes. For a tool with zero annotation coverage, this leaves significant behavioral gaps.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured and appropriately sized. It starts with the core purpose, then lists parameters with helpful examples, and ends with return information. Every sentence adds value, with no redundant or vague phrasing. Minor improvements could include briefer parameter explanations.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given no annotations and no output schema, the description partially compensates by explaining parameters and stating the return is 'detailed information.' However, it lacks specifics on what that information includes (e.g., permissions list, role metadata) and behavioral aspects like error handling. For a 2-parameter tool with zero structured coverage, this is adequate but has clear gaps.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must compensate. It clearly explains both parameters: 'role_name' (with examples like 'roles/compute.admin') and 'project_id' (optional, for custom roles, not needed if fully qualified). This adds meaningful context beyond the bare schema, though it could specify format constraints more explicitly.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Get detailed information about an IAM role, including its permissions.' It specifies the verb ('get') and resource ('IAM role'), making the function unambiguous. However, it doesn't explicitly differentiate from sibling tools like 'list_roles' or 'check_iam_permissions', which prevents a perfect score.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It doesn't mention sibling tools like 'list_roles' (which might list roles without details) or 'check_iam_permissions' (which might verify permissions), leaving the agent to infer usage context. The parameter notes offer some operational hints but not comparative guidance.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/henihaddad/gcp-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server