Use the BigQuery MCP server

This document describes how to use the BigQuery Model Context Protocol (MCP) server to connect to BigQuery from AI applications such as Gemini CLI, agent mode in Gemini Code Assist, Claude Code, or in AI applications you're developing.

Model Context Protocol (MCP) standardizes how large language models (LLMs) and AI applications or agents connect to outside data sources. MCP servers let you use their tools, resources, and prompts to take actions and get updated data from their backend service.

Local MCP servers typically run on your local machine and use the standard input and output streams (stdio) for communication between services on the same device. MCP servers run on the service's infrastructure and offer an HTTPS endpoint to AI applications for communication between the AI MCP client and the MCP server. For more information on MCP architecture, see MCP architecture.

Google and Google Cloud MCP servers have the following features and benefits:

Simplified, centralized discovery
Managed global or regional HTTPS endpoints
Fine-grained authorization
Optional prompt and response security with Model Armor protection
Centralized audit logging

For information about other MCP servers and information about security and governance controls available for Google Cloud MCP servers, see Google Cloud MCP servers overview.

You might use the BigQuery local MCP server for the following reasons:

You need to build a custom tool over a parameterized SQL query.
You don't have permissions to enable or use the MCP server in your project.

For more information about how to use our local MCP server, see Connect LLMs to BigQuery with MCP. The following sections apply only to the BigQuery MCP server.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

Enable the BigQuery API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.
Enable the API

For new projects, the BigQuery API is automatically enabled.
Optional: Enable billing for the project. If you don't want to enable billing or provide a credit card, the steps in this document still work. BigQuery provides you a sandbox to perform the steps. For more information, see Enable the BigQuery sandbox.
Note: If your project has a billing account and you want to use the BigQuery sandbox, then disable billing for your project.

Required roles

To get the permissions that you need to enable the BigQuery MCP server, ask your administrator to grant you the following IAM roles on the project where you want to enable the BigQuery MCP server:

Enable APIs and MCP servers in the project: Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
Make MCP tool calls: MCP Tool User (roles/mcp.toolUser)
Run BigQuery jobs: BigQuery Job User (roles/bigquery.jobUser)
Query BigQuery data: BigQuery Data Viewer (roles/bigquery.dataViewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to enable the BigQuery MCP server. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to enable the BigQuery MCP server:

Enable MCP servers in a project:
- serviceusage.mcppolicy.get
- serviceusage.mcppolicy.update
Make MCP tool calls: mcp.tools.call
Run BigQuery jobs: bigquery.jobs.create
Query BigQuery data: bigquery.tables.getData

You might also be able to get these permissions with custom roles or other predefined roles.

Enable or disable the BigQuery MCP server

You can enable or disable the BigQuery MCP server in a project with the gcloud beta services mcp enable command. For more information, see the following sections.

Enable the BigQuery MCP server in a project

If you're using different projects for your client credentials, such as service account keys, OAuth client ID or API keys, and for hosting your resources, then you must enable the BigQuery service and the BigQuery MCP server on both projects.

To enable the BigQuery MCP server in your Google Cloud project, run the following command:

gcloud beta services mcp enable SERVICE \
    --project=PROJECT_ID

Replace the following:

PROJECT_ID: the Google Cloud project ID
SERVICE: bigquery.googleapis.com (the global service name for BigQuery)

The BigQuery MCP server is enabled for use in your Google Cloud project. If the BigQuery service isn't enabled for your Google Cloud project, you're prompted to enable the service before enabling the BigQuery MCP server.

As a security best practice, we recommend that you enable MCP servers only for the services required for your AI application to function.

Disable the BigQuery MCP server in a project

To disable the BigQuery MCP server in your Google Cloud project, run the following command:

gcloud beta services mcp disable SERVICE \
    --project=PROJECT_ID

The BigQuery MCP server is disabled for use in your Google Cloud project.

Authentication and authorization

BigQuery MCP servers use the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

The BigQuery MCP server doesn't accept API keys.

BigQuery MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs.

BigQuery has the following MCP tool OAuth scopes:

Scope URI for gcloud CLI	Description
`https://www.googleapis.com/auth/bigquery`	View and manage your data in BigQuery and see the email address for your Google Account.

Additional scopes might be required on the resources accessed during a tool call. To view a list of scopes required for BigQuery, see OAuth 2.0 scopes for BigQuery API v2.

Configure an MCP client to use the BigQuery MCP server

Host programs, such as Claude or Gemini CLI, can instantiate MCP clients that connect to a single MCP server. A host program can have multiple clients that connect to different MCP servers. To connect to an MCP server, the MCP client must know at a minimum the URL of the MCP server.

In your host, look for a way to connect to a MCP server. You're prompted to enter details about the server, such as its name and URL.

For the BigQuery MCP server, enter the following as required:

Server name: BigQuery MCP server
Server URL or Endpoint: https://bigquery.googleapis.com/mcp
Transport: HTTP
Authentication details: your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials

Which authentication details you choose depend on how you want to authenticate. For more information, see Authenticate to MCP servers.

For host-specific guidance, see the following:

For more general guidance, see Connect to remote MCP servers.

Available tools

To view details of available MCP tools and their descriptions for the BigQuery MCP server, see the BigQuery MCP reference.

Limitations

The BigQuery MCP tools are subject to the following limitations:

The execute_sql tool doesn't support querying Google Drive external tables.
By default, the execute_sql tool limits query processing time to three minutes. Queries that run longer than three minutes are automatically canceled.

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the BigQuery MCP server. The tools/list method doesn't require authentication.

POST /mcp HTTP/1.1
Host: bigquery.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list",
}

Sample use cases

The following are sample use cases for the BigQuery MCP server:

Build workflows that use insights from BigQuery data to trigger certain actions such as creating issues and composing emails.
Use BigQuery's advanced capabilities like forecasting for higher-order insights.
Build a conversational experience for your users with custom agent instructions.

Sample prompts

You can use the following sample prompts to get information about BigQuery resources, gain insights, and analyze BigQuery data:

List the datasets in project PROJECT_ID.
Find all the queries that I ran in project PROJECT_ID using the MCP server in the REGION region. Use the tag goog-mcp-server:true to identify the query jobs that ran through the MCP server.
Find the top orders by volume from DATASET_ID in project PROJECT_ID. Identify the appropriate tables, find the correct schema, and show the results.
Create a forecast on the table PROJECT_ID.DATASET_ID.TABLE_ID for future years. Use COLUMN_NAME as the data column and COLUMN_NAME as the timestamp column. Show the top 10 forecasts.

In the prompts, replace the following:

PROJECT_ID: the Google Cloud project ID
REGION: the name of the region
DATASET_ID: the name of the dataset
TABLE_ID: the name of the table
COLUMN_NAME: the name of the column

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety of actions that you can take with MCP tools. To minimize and manage these risks, Google Cloud offers defaults and customizable policies to control the use of MCP tools in your Google Cloud organization or project.

For more information about MCP security and governance, see AI security and safety.

Use Model Armor

Model Armor is a Google Cloud service designed to enhance the security and safety of your AI applications. It works by proactively screening LLM prompts and responses, protecting against various risks and supporting responsible AI practices. Whether you deploy AI in your cloud environment, or on external cloud providers, Model Armor can help you prevent malicious input, verify content safety, protect sensitive data, maintain compliance, and enforce your AI safety and security policies consistently across your diverse AI landscape.

Model Armor is only available in specific regional locations. If Model Armor is enabled for a project, and a call to that project comes from an unsupported region, Model Armor makes a cross-regional call. For more information, see Model Armor locations.

Enable Model Armor

You must enable Model Armor APIs before you can use Model Armor.

Console

Enable the Model Armor API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.
Enable the API
Select the project where you want to activate Model Armor.

gcloud

Before you begin, follow these steps using the Google Cloud CLI with the Model Armor API:

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command to set the API endpoint for the Model Armor service.
```
gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.LOCATION.rep.googleapis.com/"
```
Replace LOCATION with the region where you want to use Model Armor.

Configure protection for Google and Google Cloud remote MCP servers

To protect your MCP tool calls and responses, you create a Model Armor floor setting and then enable MCP content security for your project. A floor setting defines the minimum security filters that apply across the project. This configuration applies a consistent set of filters to all MCP tool calls and responses within the project.

Set up a Model Armor floor setting with MCP sanitization enabled. For more information, see Configure Model Armor floor settings.

Note: If the agent and the MCP server are in different projects, you can create floor settings in both projects (the client project and the resource project). In this case, Model Armor is invoked twice, once for each project.

See the following example command:
```
gcloud model-armor floorsettings update \
--full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
--enable-floor-setting-enforcement=TRUE \
--add-integrated-services=GOOGLE_MCP_SERVER \
--google-mcp-server-enforcement-type=INSPECT_AND_BLOCK \
--enable-google-mcp-server-cloud-logging \
--malicious-uri-filter-settings-enforcement=ENABLED \
--add-rai-settings-filters='[{"confidenceLevel": "HIGH", "filterType": "DANGEROUS"}]'
```
Replace PROJECT_ID with your Google Cloud project ID.

Note the following settings:
- INSPECT_AND_BLOCK: The enforcement type that inspects content for the Google MCP server and blocks prompts and responses that match the filters.
- ENABLED: The setting that enables a filter or enforcement.
- HIGH: The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, though lower values might result in more false positives. For more information, see Configure floor settings.
For your project, enable Model Armor protection for remote MCP servers.
```
gcloud beta services mcp content-security add modelarmor.googleapis.com --project=PROJECT_ID
```
Replace PROJECT_ID with your Google Cloud project ID. After you run this command, Model Armor sanitizes all MCP tool calls and responses from the project, regardless of where the calls and responses originate.
To confirm that Google MCP traffic is sent to Model Armor, run the following command:
```
gcloud beta services mcp content-security get --project=PROJECT_ID
```
Replace PROJECT_ID with the Google Cloud project ID.

Disable scanning MCP traffic with Model Armor

If you want to use Model Armor in a project, and you want to stop scanning Google MCP traffic with Model Armor, run the following command:

gcloud model-armor floorsettings update \
  --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
  --remove-integrated-services=GOOGLE_MCP_SERVER

Replace PROJECT_ID with the Google Cloud project ID.

Model Armor won't scan MCP traffic in the project.

Control MCP use with IAM deny policies

Identity and Access Management (IAM) deny policies help you secure Google Cloud remote MCP servers. Configure these policies to block unwanted MCP tool access.

For example, you can deny or allow access based on:

The principal.
Tool properties like read-only.
The application's OAuth client ID.

For more information, see Control MCP use with Identity and Access Management.

Quotas and limits

The BigQuery MCP server doesn't have its own quotas. There is no limit on the number of call that can be made to the MCP server.

You are still subject to the quotas enforced by the APIs called by the MCP server tools. The following API methods are called by the MCP server tools:

Tool	API method	Quotas
`list_dataset_ids`	`datasets.list`	Dataset quotas and limits
`list_table_ids`	`tables.list`	Table quotas and limits
`get_dataset_info`	`datasets.get`	Dataset quotas and limits
`get_table_info`	`tables.get`	Table quotas and limits
`execute_sql`	`jobs.Query`	Query job quotas and limits

For more information on BigQuery quotas, see Quotas and limits.

What's next

Read the BigQuery MCP reference documentation.
Learn more about Google Cloud MCP servers.
See the MCP supported products.