Use the Resource Manager remote MCP server

This document shows you how to use the Resource Manager remote Model Context Protocol (MCP) server to connect with AI applications including Gemini CLI, ChatGPT, Claude, and custom applications you are developing. The Resource Manager remote MCP server lets you search for and identify all Google Cloud projects that you have the necessary permissions to access, ensuring you have the correct identifiers before attempting more specific resource configurations.

The tool returns a structured list containing the project ID, project number, and the lifecycle state of the project. The Resource Manager remote MCP server is enabled when you enable the Resource Manager API.

Model Context Protocol (MCP) standardizes how large language models (LLMs) and AI applications or agents connect to external data sources. MCP servers let you use their tools, resources, and prompts to take actions and get updated data from their backend service.

What's the difference between local and remote MCP servers?

Local MCP servers
Typically run on your local machine and use the standard input and output streams (stdio) for communication between services on the same device.
Remote MCP servers
Run on the service's infrastructure and offer an HTTP endpoint to AI applications for communication between the AI MCP client and the MCP server. For more information about MCP architecture, see MCP architecture.

Google and Google Cloud remote MCP servers

Google and Google Cloud remote MCP servers have the following features and benefits:

  • Simplified, centralized discovery
  • Managed global or regional HTTP endpoints
  • Fine-grained authorization
  • Optional prompt and response security with Model Armor protection
  • Centralized audit logging

For information about other MCP servers and information about security and governance controls available for Google Cloud MCP servers, see Google Cloud MCP servers overview.

Before you begin

    Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

    If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

    Verify that billing is enabled for your Google Cloud project.

    Enable the Cloud Resource Manager API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command: 

    gcloud init

    If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

    If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

    Verify that billing is enabled for your Google Cloud project.

    Enable the Cloud Resource Manager API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command: 

    gcloud init

    If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Authentication and authorization

The Resource Manager remote MCP server uses the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

Resource Manager MCP servers use the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

The Resource Manager MCP server doesn't accept API keys for authentication.

We recommend creating a separate identity for agents using MCP tools so that access to resources can be controlled and monitored. For more information on authentication, see Authenticate to MCP servers.

Resource Manager MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs.

Resource Manager has the following MCP tool OAuth scopes:

Scope URI for gcloud CLI Description
https://www.googleapis.com/auth/cloudresourcemanager.read-only Only allows access to read data.
https://www.googleapis.com/auth/cloudresourcemanager.read-write Allows access to read and modify data.

Additional scopes might be required on the resources accessed during a tool call. To view a list of scopes required for Resource Manager, see Resource Manager API.

Configure an MCP client to use the Resource Manager MCP server

AI applications and agents, such as Claude or Gemini CLI, can instantiate an MCP client that connects to a single MCP server. An AI application can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client must know at a minimum the URL of the remote MCP server.

In your AI application, look for a way to connect to a remote MCP server. You are prompted to enter details about the server, such as its name and URL.

For the Resource Manager MCP server, enter the following as required:

  • Server name: Resource Manager MCP server
  • Server URL or Endpoint: https://cloudresourcemanager.googleapis.com/mcp
  • Transport: HTTP
  • Authentication details: Depending on how you want to authenticate, you can enter your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials. For more information on authentication, see Authenticate to MCP servers.
  • OAuth scope: the OAuth 2.0 scope that you want to use when connecting to the Resource Manager MCP server.

For host specific guidance, see the following:

For more general guidance, see the following resources:

Available tools

To view details of available MCP tools and their descriptions for the Resource Manager MCP server, see the Resource Manager MCP reference.

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Resource Manager remote MCP server. The tools/list method doesn't require authentication.

POST /mcp HTTP/1.1
Host: cloudresourcemanager.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list",
}

Sample use cases

The search_projects tool in the Resource Manager remote MCP server lets AI agents dynamically discover and identify all Google Cloud projects that you have the necessary permissions to access so they can execute commands in other tools.

The tool returns a structured list containing the project ID, project number, and the lifecycle state of the project. The following are sample use cases for the Resource Manager MCP server:

  • Resource inventory and accessibility audits: List and summarize the active cloud projects accessible to you.

    User prompt: "List all my active Google Cloud projects."

    Agent action: The agent sends a search query to the MCP server to retrieve and display a summarized list of all active projects under your credentials.

  • Targeted parent-based searches: Retrieve projects located within a specific folder or organization to narrow the scope of a request.

    User prompt: "Find all projects under Folder 223."

    Agent action: The agent executes a tool call with the query parent:folders/223 to return a list of projects within that administrative boundary.

  • Implicit context resolution: When you ask for information about a resource without providing a specific project ID, the agent can resolve the context automatically.

    User prompt: "Check the status of my 'payment-processor' service."

    Agent action: The agent recognizes that a project_id is missing for the Cloud Run tool. It uses the search_projects tool to find projects with payment in the name, identifies likely projects (such as payment-prod-123), and asks you for confirmation before proceeding.

  • Environment-specific discovery: You can find projects filtered by specific environments or organizational structures without leaving the chat interface.

    User prompt: "Which projects do I have access to in the staging environment?"

    Agent action: The agent performs a search operation for all projects labeled or named staging that you have permission to view and returns the specific project IDs.

Customize LLM behavior

The search_projects tool is versatile, but LLMs might not always know when to query your Google Cloud hierarchy. To call the tool in specific scenarios, provide custom context in a Markdown file, for example, ~/.gemini/GEMINI.md or a project-level AGENTS.md.

Control MCP use with IAM deny policies

Identity and Access Management (IAM) deny policies help you secure Google Cloud remote MCP servers. Configure these policies to block unwanted MCP tool access.

For example, you can deny or allow access based on:

  • The principal
  • Tool properties like read-only
  • The application's OAuth client ID

For more information, see Control MCP use with Identity and Access Management.

What's next