Enable or disable MCP servers

To use Google and Google Cloud remote MCP servers with your AI application or agent, you must enable the service and the MCP server for the service in your Google Cloud project. This document describes how to enable MCP servers in your Google Cloud project.

For information about organization-level controls, see Control MCP use in an organization.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. To initialize the gcloud CLI, run the following command: 

    gcloud init

  5. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  7. Verify that billing is enabled for your Google Cloud project.

  8. Install the Google Cloud CLI.

  9. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  10. To initialize the gcloud CLI, run the following command: 

    gcloud init

  11. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  12. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  13. Verify that billing is enabled for your Google Cloud project.

  14. Install the Google Cloud CLI beta component: 
    gcloud components install beta

Required roles

To get the permissions that you need to enable MCP servers, ask your administrator to grant you the Service Usage Admin (roles/serviceusage.serviceUsageAdmin) IAM role on the Google Cloud project where you want to enable an MCP server. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to enable MCP servers. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to enable MCP servers:

  • serviceusage.mcppolicy.get
  • serviceusage.mcppolicy.update

You might also be able to get these permissions with custom roles or other predefined roles.

Enable or disable an MCP server in a Google Cloud project

If you are using different projects for your client credentials, such as service account keys, OAuth client ID or API keys, and for hosting your resources, then you must enable the service and the MCP server on both projects.

Enable an MCP server in a Google Cloud project

To enable an MCP server in your Google Cloud project, run the following command:

gcloud beta services mcp enable SERVICE \
    --project=PROJECT_ID

Replace the following:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE: the service name. For information about listing service names, see List services. To see a list of services that have MCP servers, see Supported products.

The MCP server is enabled for use in your Google Cloud project. If the service isn't enabled in your project, then you are prompted to enable the service before enabling the MCP server.

As a security best practice, only enable MCP servers for the services that are required for your agentic functionality.

Disable an MCP server in a Google Cloud project

To disable an MCP server in a Google Cloud project, run the following command:

gcloud beta services mcp disable SERVICE \
    --project=PROJECT_ID

Replace the following:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE: the service name.

The MCP server is disabled and can't be used in your Google Cloud project.

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety of actions that can be taken with MCP tools. To minimize and manage these risks, Google Cloud offers defaults and customizable policies to control the use of MCP tools in your Google Cloud organization or project. For more information about MCP security and governance, see AI security and safety.

What's next