Google Cloud MCP servers roles and permissions

This page lists the IAM roles and permissions for Google Cloud MCP servers. To search through all roles and permissions, see the role and permission index.

Google Cloud MCP servers roles

Role Permissions

Role	Permissions
MCP Tool User (`roles/mcp.toolUser`) Gives permission to call tools on any MCP server enabled by the parent project.	`mcp.tools.call` `resourcemanager.projects.get` `resourcemanager.projects.list`

MCP Tool User

(roles/mcp.toolUser)

Gives permission to call tools on any MCP server enabled by the parent project.

mcp.tools.call

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud MCP servers permissions

Permission Included in roles

Permission	Included in roles
`mcp.tools.call`	Owner (`roles/owner`) Editor (`roles/editor`) Gemini Cloud Assist User (`roles/geminicloudassist.user`) MCP Tool User (`roles/mcp.toolUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Chronicle Service Agent (`roles/chronicle.serviceAgent`)

`mcp.tools.call`

Owner (roles/owner)

Editor (roles/editor)

Gemini Cloud Assist User (roles/geminicloudassist.user)

MCP Tool User (roles/mcp.toolUser)

Service agent roles

Chronicle Service Agent (roles/chronicle.serviceAgent)

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-04-01 UTC.