Use the Cloud SQL remote MCP server

MySQL | PostgreSQL | SQL Server

Model Context Protocol (MCP) standardizes the way AI applications connect to outside data sources using MCP servers and tools.

This document describes how to use the Cloud SQL remote Model Context Protocol (MCP) server to connect to Cloud SQL for PostgreSQL from AI applications such as Gemini CLI, agent mode in Gemini Code Assist, Claude Code, or in AI applications that you're developing.

Cloud SQL remote MCP server and other Google Cloud remote MCP servers have the following features and benefits:

Simplified, centralized discovery.
Managed global or regional HTTP endpoints.
Fine-grained authorization.
Optional prompt and response security with Model Armor protection.
Centralized audit logging.

Remote MCP Servers are managed by Google and offer additional security and governance controls compared to local MCP Servers provided by Cloud SQL for PostgreSQL MCP Toolbox for Databases For more information about other remote MCP servers and about the security and governance controls available for MCP, see Google Cloud MCP servers overview.

The following sections only apply to the Cloud SQL for PostgreSQL remote MCP server.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

Install the gcloud CLI.

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

Go to project selector

If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

Install the gcloud CLI.

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

Required roles

To get the permissions that you need to enable and use the Cloud SQL remote MCP server, ask your administrator to grant you the following IAM roles on the project where you want to enable and use the remote Cloud SQL MCP server:

Enable remote MCP server for a project: Service Usage Admin (roles/serviceusage.serviceUsageAdmin)
Make MCP tool calls in a project: MCP Tool User (roles/mcp.toolUser)
Create, clone, or update a Cloud SQL instance: Cloud SQL Admin (roles/cloudsql.admin)
Create or update a Cloud SQL user: Cloud SQL Admin (roles/cloudsql.admin)
Execute SQL queries in Cloud SQL:
- Cloud SQL Admin (roles/cloudsql.admin)
- Cloud SQL Studio User (roles/cloudsql.StudioUser)
Get a Cloud SQL instance or list all Cloud SQL instances in a project: Cloud SQL Viewer (roles/cloudsql.viewer)
Import data into a Cloud SQL instance:
- Cloud SQL Admin (roles/cloudsql.admin)
- Storage Admin (roles/storage.admin)
List Cloud SQL users: Cloud SQL Viewer (roles/cloudsql.viewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to enable and use the Cloud SQL remote MCP server. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to enable and use the Cloud SQL remote MCP server:

serviceusage.mcppolicy.get
serviceusage.mcppolicy.update
Make MCP tool calls: mcp.tools.call
Clone a Cloud SQL instance: cloudsql.instances.clone
Create a Cloud SQL instance: cloudsql.instances.create
Create a Cloud SQL user: cloudsql.users.create
Execute SQL queries on a Cloud SQL instance:
- cloudsql.instances.executeSql
- cloudsql.instances.login
Get a Cloud SQL instance: cloudsql.instances.get
Get a Cloud SQL instance operation: cloudsql.instances.get
Import data to a Cloud SQL instance: cloudsql.instances.import
List Cloud SQL instances in a project: cloudsql.instances.list
List Cloud SQL users: cloudsql.users.list
Update a Cloud SQL instance: cloudsql.instances.update
Update a Cloud SQL user: cloudsql.users.update

You might also be able to get these permissions with custom roles or other predefined roles.

Enable or disable the Cloud SQL MCP server

You can enable the Cloud SQL MCP server in a project with the gcloud beta services mcp enable command.

Enable the Cloud SQL MCP server in a project

To enable the Cloud SQL MCP server in your Google Cloud project, run the following command:

gcloud beta services mcp enable sqladmin.googleapis.com \
    --project=PROJECT_ID

Replace the following:

PROJECT_ID: the Google Cloud project ID.

After you run the command, the Cloud SQL remote MCP server is enabled.

If the Cloud SQL service isn't enabled for your Google Cloud project, then you're prompted to enable the service before enabling the Cloud SQL remote MCP server.

If you're using different projects for your client credentials, such as service account keys, OAuth client ID or API keys, and for hosting your resources, then you must enable the Cloud SQL service and the Cloud SQL remote MCP server on both projects.

Disable the Cloud SQL MCP server in a project

To disable the Cloud SQL MCP server in your Google Cloud project, run the following command:

gcloud beta services mcp disable sqladmin.googleapis.com \
    --project=PROJECT_ID

The Cloud SQL MCP server is disabled for use in your Google Cloud project.

Configure an MCP client to use the Cloud SQL MCP server

Host programs, such as Claude or the Gemini CLI, can instantiate MCP clients that connect to a single MCP server. A host program can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client must know at a minimum the URL of the remote MCP server.

Use the following instructions to configure MCP clients to connect to your remote Cloud SQL MCP server.

Gemini CLI

To add a Cloud SQL remote MCP server to your Gemini CLI, configure it as an extension.

Create an extension file in the following location: ~/.gemini/extensions/EXT_NAME/gemini-extension.json where ~/ is your home directory and EXT_NAME is the name you want to give the extension.

Save the following content in your extension file:

        {
          "name": "EXT_NAME",
          "version": "1.0.0",
          "mcpServers": {
            "Cloud SQL MCP Server": {
              "httpUrl": "sqladmin.googleapis.com/mcp",
              "authProviderType": "google_credentials",
              "oauth": {
                "scopes": ["https://www.googleapis.com/auth/cloud-platform"]
              },
              "timeout": 30000,
              "headers": {
                "x-goog-user-project": "PROJECT_ID"
              }
            }
          }
        }

Save the extensions file.
Start Gemini CLI:
```
        gemini
        
```

Run /mcp to view your configured MCP server and its tools.

The response is similar to the following:

        Configured MCP servers:
        🟢 Cloud SQL MCP Server (from sqladmin )
          - list_instances
          - get_instance
          - clone_instance
          - create_instance
          - update_instance
          - execute_sql
          - import_data
          - create_user
          - update_user
          - list_users
          - get_operation

The remote MCP server is ready to use in Gemini CLI.

Claude.ai

You must have the Claude Enterprise, Pro, Max, or Team plan to configure Google and Google Cloud MCP servers in Claude.ai. For pricing information, see Claude Pricing.

To add a Google or Google Cloud remote MCP server to Claude.ai, configure a custom connector with a OAuth client ID and OAuth client secret:

Create an Oauth 2.0 client ID and secret

In the Google Cloud console, go to Google Auth Platform > Clients > Create client.

Go to Create client

You are prompted to create a project if you don't have one selected.
In the Application type list, select Web application.
In the Name field, enter a name for your application.
In the Authorized redirect URIs section, click + Add URI, and then add https://claude.ai/api/mcp/auth_callback in the URIs field.
Click Create. The client is created. To access the client ID, in the Google Cloud console, go to Google Auth Platform > Clients.
In the OAuth 2.0 client IDs list, select the client name.
In the Client secrets section, copy the Client secret and save it in a secure place. You can only copy it once. If you lose it, delete the secret and create a new one.

Caution: treat client secrets like passwords and store them in a secure place.

Create a custom connector in Claude.ai

Follow the instructions for the Claude plan that you're using:

Enterprise and Team

In Claude.ai, navigate to Admin settings > Connectors.
Click Add custom connector.
In the Add custom connector dialog, enter the following:
- Server name: a human readable name for the server.
- Remote MCP server URL:sqladmin.googleapis.com/mcp
Expand the Advanced settings menu and then enter the following:
- OAuth client ID: the OAuth 2.0 client ID you created.
- OAuth client secret: the secret for your OAuth 2.0 client. To retrieve the secret, go to Google Auth Platform > Clients and then select the OAuth client ID you created. In the Client secrets section, click to copy the Client secret.
Click Add.

The custom connector is created.
Open the Tools menu and enable the connector.

Claude.ai can use the MCP server.

Pro and Max

In Claude.ai, navigate to Settings > Connectors.
Click Add custom connector.
In the Add custom connector dialog, enter the following:
- Server name: a human readable name for the server.
- Remote MCP server URL: sqladmin.googleapis.com/mcp
Expand the Advanced settings menu and then enter the following:
- OAuth client ID: the OAuth 2.0 client ID you created.
- OAuth client secret: the secret for your OAuth 2.0 client. To retrieve the secret, go to Google Auth Platform > Clients and then select the OAuth client ID you created. In the Client secrets section, click to copy the Client secret.
Click Add.

The custom connector is created.
Open the Tools menu and enable the connector.

Claude.ai can use the MCP server.

General guidance for MCP clients

If your MCP client isn't listed in Configure an MCP client to use the Cloud SQL MCP server, then you use the following information to connect to a remote MCP server in your host program or AI application. You are prompted to enter details about the server, such as its name and URL.

For the Cloud SQL remote MCP server, enter the following as required:

Server name: Cloud SQL MCP server
Server URL or Endpoint: sqladmin.googleapis.com/mcp
Transport: HTTP
Authentication details: Depending on how you want to authenticate, you can enter your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials.

For more general guidance, see the following resources:

Authentication and authorization

Cloud SQL MCP servers use the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

The Cloud SQL remote MCP server doesn't accept API keys.

We recommend creating a separate identity for agents using MCP tools so that access to resources can be controlled and monitored. For more information on authentication, see Authenticate to MCP servers.

Cloud SQL MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs.

Cloud SQL has the following MCP tool OAuth scopes:

Scope URI for gcloud CLI	Description
`https://www.googleapis.com/auth/cloud-platform`	Create, update, and list Cloud SQL resources including instances and database users. Import data and execute SQL queries on Cloud SQL instances.

Additional scopes might be required on the resources accessed during a tool call. To view a list of scopes required for Cloud SQL, see Cloud SQL Admin API.

Available tools

clone_instance: creates a Cloud SQL instance as a clone of source instance.
create_instance: initiates the creation of a Cloud SQL instance.
create_user: creates a database user for a Cloud SQL instance.
execute_sql: executes any valid SQL statements (DDL, DCL, DQL, DML) on a Cloud SQL instance.
get_instance: gets the details of a Cloud SQL instance.
get_operation: gets the status of a long-running operation in Cloud SQL.
list_instances: lists all Cloud SQL instances in a project.
list_users: lists all database users for a Cloud SQL instance.
import_data: imports data into a Cloud SQL instance from Cloud Storage.
update_instance: updates supported settings of a Cloud SQL instance.
update_user: updates a database user for a Cloud SQL instance.

To view additional details of available MCP tools and their descriptions for the Cloud SQL remote MCP server, see the Cloud SQL MCP reference.

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Cloud SQL remote MCP server. The tools/list method doesn't require authentication.

POST /mcp HTTP/1.1
Host: sqladmin.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list",
}

Execute SQL statements

To execute SQL statements, your Cloud SQL instance must meet the following requirements:

The data_api_access setting on the instance must be set to the value ALLOW_DATA_API. When you create an instance using the create_instance tool, the data_api_access is configured automatically.
The Cloud SQL instance must also have IAM database authentication enabled. The execute_sql tool can only use an IAM database authentication user account to run SQL statements. The SQL statements will use the privileges associated with the IAM database authentication user account.

If the instance isn't configured to ALLOW_DATA_API, then use the update_instance tool to update the configuration for the instance.

Sample use cases

The following are sample use cases for the Cloud SQL MCP server:

Web application development

A sample use case might be the rapid development of web applications and the provisioning of Cloud SQL instances as their source database. In this use case, using the Cloud SQL MCP server lets you build a new database and populate it with initial data for a new project using natural language.

Sample prompt:

"Create a new PostgreSQL development instance and set up a table called products."

Workflow:

The workflow for setting up a web application might look like the following:

Provisioning: The agent calls the create_instance tool to create a new Cloud SQL instance with development environment-sized specifications.
Verification: The agent uses the get_operation tool to poll the status of the instance creation operation.
Connection: When the operation is complete, the agent uses the get_instance tool to retrieve the instance connection metadata.
Schema setup: When ready, the agent uses the execute_sql to run the CREATE TABLE products SQL statement.
Data seeding: The agent uses execute_sql again to insert initial seed data (DML) into the newly created table.
Data seeding: When ready, the agent uses the import_data to import a data file from Cloud Storage of products.

Query a database using natural language

You can query a Cloud SQL database, update records, and make schema updates using natural language.

Sample prompt:

"Add a `stock_count` column to the inventory table."

Workflow: The workflow for querying a database with natural language might look like the following.

Schema migration: The agent calls execute_sql to run an ALTER TABLE statement, adding the new stock_count column to the database schema.
Validation: The agent uses get_instance to confirm that the instance update has successfully completed.

Sample prompt:

"Show me a list of shoes that are priced above $100 from the inventory table."

Workflow:

Query execution: The agent calls execute_sql to run the SQL statement that retrieves the data.

Limitations

The Cloud SQL remote MCP server has the following limitations:

The create_user tool doesn't support creating a built-in authentication user with a password.
If the execute_sql tool returns a response that's larger than 10 MB, then the response will be truncated.
When using the execute_sql tool, queries that run for longer than 30 seconds can time out.

Optional security and safety configurations

Google Cloud offers an integration with Model Armor for remote MCP Servers to help you use MCP tools securely. For more information about MCP security and governance, see AI security and safety.

Model Armor

Model Armor is a Google Cloud service designed to enhance the security and safety of your AI applications. It works by proactively screening LLM prompts and responses, protecting against various risks and supporting responsible AI practices. Whether you are deploying AI in your cloud environment, or on external cloud providers, Model Armor can help you prevent malicious input, verify content safety, protect sensitive data, maintain compliance, and enforce your AI safety and security policies consistently across your diverse AI landscape.

Model Armor is only available in specific regional locations. If Model Armor is enabled for a project, and a call to that project comes from an unsupported region, then Model Armor makes a cross-regional call. For more information, see Model Armor locations.

Enable Model Armor

To enable Model Armor, complete the following steps:

To enable Model Armor on your Google Cloud project, run the following gcloud CLI command:

gcloud services enable modelarmor.googleapis.com \
    --project=PROJECT_ID

Replace PROJECT_ID with your Google Cloud project ID.

Configure protection for Google and Google Cloud remote MCP servers

To protect your MCP tool calls and responses, you create a Model Armor floor setting and then enable MCP content security for your project. A floor setting defines the minimum security filters that apply across the project. This configuration applies a consistent set of filters to all MCP tool calls and responses within the project.

Set up a Model Armor floor setting with MCP sanitization enabled. For more information, see Configure Model Armor floor settings.

Note: If the agent and the MCP server are in different projects, you can create floor settings in both projects (the client project and the resource project). In this case, Model Armor is invoked twice, once for each project.

See the following example command:
```
gcloud model-armor floorsettings update \
--full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
--enable-floor-setting-enforcement=TRUE \
--add-integrated-services=GOOGLE_MCP_SERVER \
--google-mcp-server-enforcement-type=INSPECT_AND_BLOCK \
--enable-google-mcp-server-cloud-logging \
--malicious-uri-filter-settings-enforcement=ENABLED \
--add-rai-settings-filters='[{"confidenceLevel": "HIGH", "filterType": "DANGEROUS"}]'
```
Replace PROJECT_ID with your Google Cloud project ID.

Note the following settings:
- INSPECT_AND_BLOCK: The enforcement type that inspects content for the Google MCP server and blocks prompts and responses that match the filters.
- ENABLED: The setting that enables a filter or enforcement.
- HIGH: The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, though lower values might result in more false positives. For more information, see Configure floor settings.
For your project, enable Model Armor protection for remote MCP servers.
```
gcloud beta services mcp content-security add modelarmor.googleapis.com --project=PROJECT_ID
```
Replace PROJECT_ID with your Google Cloud project ID. After you run this command, Model Armor sanitizes all MCP tool calls and responses from the project, regardless of where the calls and responses originate.
To confirm that Google MCP traffic is sent to Model Armor, run the following command:
```
gcloud beta services mcp content-security get --project=PROJECT_ID
```
Replace PROJECT_ID with the Google Cloud project ID.

Disable Model Armor in a project

To disable Model Armor on a Google Cloud project, run the following command:

gcloud beta services mcp content-security remove modelarmor.googleapis.com \
    --project=PROJECT_ID

Replace PROJECT_ID with the Google Cloud project ID.

Google MCP traffic won't be scanned by Model Armor for the specified project.

Disable scanning MCP traffic with Model Armor

If you want to use Model Armor in a project, and you want to stop scanning Google MCP traffic with Model Armor, run the following command:

gcloud model-armor floorsettings update \
  --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
  --remove-integrated-services=GOOGLE_MCP_SERVER