Prevent read-write MCP tool use

Because LLMs and AI agents are by their nature dynamic, AI application responses and actions for the same prompt can vary each time you send it. If you or an MCP server provider add tools or functionality, the agent's behavior can change significantly.

Model Context Protocol (MCP) tools can modify or delete resources that they access on your behalf. When you're using MCP tools through your AI application, protect important resources by preventing MCP tools from changing them.

To prevent unintended or unauthorized changes by MCP tools to production resources, use a deny policy and Identity and Access Management (IAM) attributes. These attributes control which agent identities and tool types can access a resource. You can create deny policies at the Google Cloud organization, folder, or project level. This document describes using IAM attributes to control MCP tool use.

Control MCP use with IAM attributes

The following attributes can be used in your Identity and Access Management deny policies:

  • tool.isReadOnly: a resource attribute that indicates whether the invoked tool only reads data.
  • request.auth.oauth.client_id: the OAuth client ID.
  • resource.service: the name of service—for example, bigquery.googleapis.com.
  • tool.name: the name of the MCP tool, for example, list_agents.

Limitations

Control of MCP use with IAM has the following limitations:

  • The request.auth.oauth.client_id attribute is only supported for IAM deny policies. IAM allow policies don't support this attribute.
  • These IAM attributes are only checked and enforced for the mcp.tools.call permission. These attributes cannot be combined with any other permissions in IAM deny policies.
  • Tags can't be mixed with the resource.service attribute or any MCP attributes in IAM conditions.
  • The resource.service and tool.name attributes aren't available in the Google Cloud console. IAM policies that use these attributes must be managed with Google Cloud CLI.

Prevent read-write tool use

The following IAM deny policy prevents use of any tool that isn't read-only. Tools that create, modify, or delete resources aren't permitted.

{
  "rules": [
    {
      "denyRule": {
        "deniedPrincipals": [
          "principalSet://goog/public:all"
        ],
        "deniedPermissions": [
          "mcp.googleapis.com/tools.call"
        ],
        "denialCondition": {
          "title":  "Deny read-write tools",
          "expression": "api.getAttribute('mcp.googleapis.com/tool.isReadOnly', false) == false",
        }
      }
    }
  ]
}

After the policy is applied to a Google Cloud project, when an MCP client makes a tool call to a tool that isn't annotated as read-only, the request fails and an HTTP client error is returned.

Apply a deny policy

To apply a deny policy to a Google Cloud project, add the policy to a file named policy.json, and then run the following command:

gcloud iam policies create mcp-deny-policy \
  --attachment-point=cloudresourcemanager.googleapis.com/projects/PROJECT_ID \
  --kind=denypolicies \
  --policy-file=policy.json

For more information, see Deny policies. For information on how to attach a deny policy to an organization or folder, see Attachment point.

What's next