For example, you can deny or allow access based on:
- The principal.
- Tool properties like read-only.
- The application's OAuth client ID.
Deny policy attributes
The following attributes can be used in your Identity and Access Management deny policies:
tool.isReadOnly: a resource attribute that indicates whether the invoked tool only reads data.auth.oauthClientId: the OAuth client ID.
You can configure authorization policies for agents and MCP servers using existing security controls, such as IAM deny policies, and layer these attributes to build your security and governance policies.
Limitations
The tool.isReadOnly and auth.oauthClientId attributes are only supported for
IAM deny policies. IAM allow policies don't
support these attributes.
IAM deny attributes are only checked and enforced for the
tools.call permission. These attributes cannot be combined with any other
permissions in IAM deny policies.
Example IAM policies
The following sections give examples of Identity and Access Management deny policies that can be used to control MCP use.
Deny all MCP tool use
The following IAM deny policy prevents use of Google and Google Cloud MCP server tools by all users.
{
"displayName": "Deny access to MCP tools for all users",
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"deniedPermissions": [
"mcp.googleapis.com/tools.call"
]
}
}
]
}
After the policy is applied to a Google Cloud project, when a client calls
tools/call, the request fails and an HTTP client error is returned.
Deny read-write MCP tool use
The following IAM deny policy prevents use of any tool that isn't read-only. Tools that create, modify, or delete resources aren't permitted.
{
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"deniedPermissions": [
"mcp.googleapis.com/tools.call"
],
"denialCondition": {
"title": "Deny read-write tools",
"expression": "api.getAttribute('mcp.googleapis.com/tool.isReadOnly', false) == false",
}
}
}
]
}
After the policy is applied to a Google Cloud project, when an MCP client makes
a tool call to a tool that isn't annotated as read-only, the request fails and
an HTTP client error is returned.
Apply a deny policy
To apply a deny policy to a Google Cloud project, add the policy to a file named
policy.json, and then run the following command:
gcloud iam policies create mcp-deny-policy \
--attachment-point=cloudresourcemanager.googleapis.com/projects/PROJECT_ID \
--kind=denypolicies \
--policy-file=policy.json
For more information, see Deny policies. For information on how to attach a deny policy to an organization or folder, see Attachment point.