For example, you can deny or allow access based on:
- The principal.
- Tool properties like read-only.
- The service name or tool name.
- The application's OAuth client ID.
You can configure authorization policies for agents and MCP servers using existing security controls, such as IAM allow and deny policies, and layer these attributes to build your security and governance policies.
Understand IAM permission checks for MCP
When you use Google or Google Cloud services through MCP servers, the principal making the tool call must have the following permissions:
- The
mcp.tools.callpermission on the Google Cloud project. - The required permissions to access the underlying Google or Google Cloud resources.
For example, if an MCP tool call is sent to get a BigQuery Dataset's
metadata, and the caller has the mcp.tools.call permission but lacks the
bigquery.datasets.get permission, the tool call fails. Similarly, if the
caller has the bigquery.datasets.get permission, but lacks the
mcp.tools.call permission, the call fails.
IAM deny policy attributes
The following attributes can be used in your Identity and Access Management deny policies:
tool.isReadOnly: a resource attribute that indicates whether the invoked tool only reads data.request.auth.oauth.client_id: the OAuth client ID.resource.service: the name of service—for example,bigquery.googleapis.com.tool.name: the name of the MCP tool, for example,list_agents.
IAM allow policy attributes
The following attributes can be used in your Identity and Access Management allow policies:
resource.service: the name of service—for example,bigquery.googleapis.com.tool.name: the name of the MCP tool, for example,list_agents.
Limitations
Control of MCP use with IAM has the following limitations:
- The
request.auth.oauth.client_idattribute is only supported for IAM deny policies. IAM allow policies don't support this attribute. - These IAM attributes are only checked and enforced for the
mcp.tools.callpermission. These attributes cannot be combined with any other permissions in IAM deny policies. - Tags can't be mixed with the
resource.serviceattribute or any MCP attributes in IAM conditions. - The
resource.serviceandtool.nameattributes aren't available in the Google Cloud console. IAM policies that use these attributes must be managed with Google Cloud CLI.
Example IAM deny policies
The following sections give examples of Identity and Access Management deny policies that can be used to control MCP use.
Deny all MCP tool use
The following IAM deny policy prevents use of Google and Google Cloud MCP server tools by all users.
{
"displayName": "Deny access to MCP tools for all users",
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"deniedPermissions": [
"mcp.googleapis.com/tools.call"
]
}
}
]
}
After the policy is applied to a Google Cloud project, when a client calls
tools/call, the request fails and an HTTP client error is returned.
Deny read-write MCP tool use
The following IAM deny policy prevents use of any tool that isn't read-only. Tools that create, modify, or delete resources aren't permitted.
{
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"deniedPermissions": [
"mcp.googleapis.com/tools.call"
],
"denialCondition": {
"title": "Deny read-write tools",
"expression": "api.getAttribute('mcp.googleapis.com/tool.isReadOnly', false) == false",
}
}
}
]
}
After the policy is applied to a Google Cloud project, when an MCP client makes
a tool call to a tool that isn't annotated as read-only, the request fails and
an HTTP client error is returned.
Deny MCP use by service
The following IAM deny policy prevents use of MCP tools from a specific service for all users.
{
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"deniedPermissions": [
"mcp.googleapis.com/tools.call"
],
"denialCondition": {
"title": "Deny all MCP tool use from this service",
"expression": "resource.service == 'SERVICE_NAME'"
}
}
}
]
}
Replace SERVICE_NAME with the service name—for example,
bigquery.googleapis.com.
Allow MCP use by service
You can use a deny policy to deny MCP use for all services except ones that you specify.
The following IAM deny policy prevents use of MCP tools from all services except one service for all users.
{
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"deniedPermissions": [
"mcp.googleapis.com/tools.call"
],
"denialCondition": {
"title": "Only Allow access to the following service's MCP tools",
"expression": "!(resource.service == 'SERVICE_NAME')"
}
}
}
]
}
Replace SERVICE_NAME with the name of the service that you want to
allow—for example, compute.googleapis.com.
Allow MCP use by Client ID
The following IAM deny policy prevents use of MCP tools by all principals except for a specific client ID.
{
"rules": [
{
"denyRule": {
"deniedPrincipals": [
"principalSet://goog/public:all"
],
"deniedPermissions": [
"mcp.googleapis.com/tools.call"
],
"denialCondition": {
"title": "Allow MCP tool use by the following client ID.",
"expression": "!(request.auth.oauth.client_id == 'CLIENT_ID')"
}
}
}
]
}
Replace CLIENT_ID with the client ID—for example,
12345678910-0abcdef0ghi.apps.googleusercontent.com. To view existing client
IDs, in the Google Cloud console, go to Google Auth Platform > Clients.
Apply a deny policy
To apply a deny policy to a Google Cloud project, add the policy to a file named
policy.json, and then run the following command:
gcloud iam policies create mcp-deny-policy \
--attachment-point=cloudresourcemanager.googleapis.com/projects/PROJECT_ID \
--kind=denypolicies \
--policy-file=policy.json
For more information, see Deny policies. For information on how to attach a deny policy to an organization or folder, see Attachment point.
Example IAM allow policies
The following sections give examples of Identity and Access Management allow policies that can be used to control MCP use. In addition to the MCP-specific permissions, principals must have permissions on any services they access through MCP calls.
Grant principals MCP access to specific services
You can use an allow policy to grant principals MCP access to specific servers.
The following Use IAM allow policy grants the principal
user@example.com access to the BigQuery and Cloud Storage MCP
servers.
{
"bindings": [
{
"role": "roles/mcp.toolUser",
"members": [
"user:user@example.com",
],
"condition": {
"title": "Allow MCP calls for BigQuery and Cloud Storage MCP servers",
"expression": "resource.service == 'bigquery.googleapis.com' || resource.service == 'storage.googleapis.com'"
}
}
]
}
Grant principals access to a specific MCP tool
You can use an allow policy to grant principals access to a specific MCP tool.
The following Use IAM allow policy grants the principal
user@example.com access to the Compute Engine tool list_instances.
{
"bindings": [
{
"role": "roles/mcp.toolUser",
"members": [
"user:user@example.com"
],
"condition": {
"title": "Grant access to list_instances tool in the Compute Engine MCP server",
"expression": "resource.service == 'compute.googleapis.com' && api.getAttribute('mcp.googleapis.com/tool.name', '') == 'list_instances'"
}
}
]
}
Apply an allow policy
To apply an allow policy to a Google Cloud resource, follow the read, modify, write process outlined in Configure resource-based access.
For more information, see Understanding allow policies.
What's next
- Configure MCP in an AI application.
- Learn more about IAM deny policies and allow policies.
- Troubleshoot IAM policies.