⌂ Home
Gemini CLI: From Zero to Production
Track 4 · Integrations
Module 18 of 18 ~55 min Intermediate
Module 17 · Track 4 — Integrations

Google Cloud MCP Servers

Your data warehouse, object storage, container services, and message queues all live in Google Cloud — and until now, Gemini CLI has been on the outside looking in. Google's official MCP servers for BigQuery, Cloud Storage, Cloud Run, and Pub/Sub close that gap: you write one natural-language prompt, and Gemini queries your data warehouse, diagnoses your failing service, and reads your config files — all without leaving the terminal.

What You'll Learn

  • Set up Application Default CredentialsADC (Application Default Credentials) is Google's standard mechanism for providing authentication to client libraries and SDKs. The gcloud CLI creates a local credentials file that any Google Cloud SDK automatically uses, so you don't hard-code service account keys. (ADC) for all Google Cloud MCP servers
  • Connect the BigQuery MCP server and use natural language to query your data warehouse
  • Read, write, and inspect Cloud Storage buckets with the GCS MCP server
  • Diagnose and deploy Cloud Run services via MCP from the terminal
  • Publish and monitor Pub/Sub topics with conversational prompts
  • Chain BigQuery + GCS + Cloud Run into compound multi-service debugging workflows
  • Set per-service IAM roles and billing caps to keep MCP usage safe and predictable

Why Google Cloud via MCP?

Analogy — A Direct SQL Console to Your Data Warehouse

Before the BigQuery MCP server, using Gemini to analyze your data was like briefing a consultant from memory: you'd copy-paste schemas and a few rows into the chat and hope you described everything correctly. The pain: you missed the column you forgot about, the consultant wrote a query against the wrong table, and you spent 20 minutes debugging something that would have been obvious if they could just look at the schema. The mapping: connecting the BigQuery MCP server is like giving your consultant a live SQL console. Gemini can now introspect the schema, run exploratory queries, see the actual data, and iterate — all in one conversation loop, without you acting as a human relay between the tool and the model.

Google maintains official MCP serversMCP (Model Context Protocol) servers are local or remote processes that expose tools to an AI model via a standardized protocol. Each tool call has a name, parameters, and a return value. The AI model decides when to call each tool based on the conversation context. for the following services:

📈
BigQuery
Schema exploration, SQL generation, query execution, result interpretation
📁
Cloud Storage
Read, write, list, and inspect GCS buckets and objects
☁️
Cloud Run
Deploy revisions, view logs, manage traffic splits
🔨
Pub/Sub
Publish/subscribe to topics, inspect subscription backlogs
🖤
Spanner
Schema introspection and SQL execution on distributed databases
📍
Maps Platform
Geocoding, directions, and Places API lookups
🎥
YouTube Data
Search, channel stats, video metadata at scale
📊
Looker
Explore dashboards and run LookML queries conversationally

The official repos for these servers are github.com/googleapis/mcp-toolbox-for-databases (BigQuery, Spanner, Postgres, MySQL) and individual packages under the @google/mcp-server-* npm namespace for Cloud Run, GCS, Pub/Sub, Maps, and YouTube.

Why It Matters

The average data team spends 4-6 hours per week writing one-off SQL queries to answer ad-hoc business questions. BigQuery MCP compresses that to minutes per question. Cloud Run MCP turns a 15-step incident response runbook into a 3-prompt conversation. These aren't productivity improvements — they're workflow eliminations.

Before any Google Cloud MCP server can make a single API call, Gemini CLI needs credentials. Application Default Credentials is the foundation everything else builds on.

Authentication: Application Default Credentials

Technical Definition — ADC Credential Chain

ADCApplication Default Credentials — a Google Cloud authentication strategy where client libraries check a prioritized chain of credential sources. The chain is: (1) GOOGLE_APPLICATION_CREDENTIALS env var, (2) gcloud CLI user credentials (~/.config/gcloud/application_default_credentials.json), (3) attached service account (when running on GCP). This means the same code works locally and in production without changes. works by checking a prioritized credential chain: explicit credentials (via GOOGLE_APPLICATION_CREDENTIALS env var) → gcloud CLI user credentials → service account metadata (when running on GCP itself). For local development, gcloud auth application-default login creates a credentials file that the Google Cloud SDKs — and therefore all MCP servers — pick up automatically. You never embed credentials in config files.

# CHUNK 1 — Install gcloud CLI via winget
# WHAT: Downloads and installs the Google Cloud SDK on Windows
# WHY: gcloud provides the auth commands all MCP servers rely on
# GOTCHA: Restart your terminal after install so PATH is updated
winget install Google.CloudSDK

# CHUNK 2 — Authenticate for local development
# WHAT: Opens a browser OAuth flow that writes ADC credentials to disk
# WHY: These credentials are auto-detected by every Google Cloud SDK
# GOTCHA: Use --no-browser if running on a headless machine (it prints a URL)
gcloud auth application-default login

# CHUNK 3 — Set your default project
# WHAT: Configures which GCP project all gcloud and SDK commands target
# WHY: Most MCP servers inherit this default; you can also override per-server
gcloud config set project YOUR_PROJECT_ID

# CHUNK 4 — Verify credentials are working
# WHAT: Prints a short-lived access token — confirms ADC is set up correctly
# GOTCHA: Token expires after ~1 hour; gcloud refreshes it automatically
gcloud auth application-default print-access-token
# CHUNK 1 — Install gcloud CLI
# WHAT: Downloads and runs the Google Cloud SDK installer script
# GOTCHA: On M1/M2 Mac, use "brew install --cask google-cloud-sdk" instead
curl https://sdk.cloud.google.com | bash
exec -l $SHELL   # reload shell to pick up PATH changes

# CHUNK 2 — Initialize and authenticate
# WHAT: gcloud init sets your project; ADC login creates local credentials
gcloud init
gcloud auth application-default login

# CHUNK 3 — For CI/CD: use a service account key file
# WHAT: Points ADC to a JSON key file instead of interactive credentials
# WHY: CI runners have no browser; service accounts are the right auth pattern
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"

# CHUNK 4 — Verify
gcloud auth application-default print-access-token
WHAT: ADC credentials are written to ~/.config/gcloud/application_default_credentials.json (Mac/Linux) or %APPDATA%\gcloud\application_default_credentials.json (Windows). Every Google Cloud MCP server reads this file automatically — you never reference it directly. GOTCHA (Windows): If you set GOOGLE_APPLICATION_CREDENTIALS to a path with backslashes in PowerShell, use forward slashes or escape the backslashes: C:/keys/sa-key.json.
Animation — ADC Auth Flow: gcloud → Credentials File → MCP Server → Google Cloud API
gcloud auth application-default login
waiting
Browser opens → Google OAuth consent screen
waiting
OAuth code exchanged → ADC credentials file written to disk
waiting
Gemini CLI starts BigQuery MCP server process (npx)
waiting
MCP server reads ADC credentials file automatically
waiting
MCP server calls BigQuery API with access token
waiting
Results returned to Gemini CLI → model interprets
waiting
Tip — Service Account for Team or CI Use

For shared team configs or CI pipelines, create a dedicated service account in the GCP Console with the minimum required roles (see the Cost & Best Practices section). Download its JSON key, set GOOGLE_APPLICATION_CREDENTIALS in your environment or CI secrets, and every MCP server will use it automatically — no interactive login required.

With ADC in place, every MCP server below connects with zero extra credential setup. Let's start with the highest-leverage integration: BigQuery.

BigQuery MCP — Natural Language to SQL

The BigQuery MCP serverAn MCP server that exposes BigQuery tools to Gemini: list_datasets, list_tables, get_table_schema, run_query, and describe_query_results. The server runs as a local npx process and communicates with BigQuery via the Google Cloud Node.js SDK using your ADC credentials. turns your entire data warehouse into a conversational interface. Gemini can list datasets, introspect table schemas, generate correct SQL, run queries, and interpret results — all from a single natural-language prompt.

Adding BigQuery MCP to GEMINI.md

# GEMINI.md — add this block to enable BigQuery MCP

## MCP Servers

- name: bigquery
  command: npx
  args:
    - "-y"
    - "@google/mcp-server-bigquery"
    - "--project"
    - "my-gcp-project"
    - "--location"
    - "US"
# CHUNK 1 — Install MCP Toolbox for Databases
# WHAT: Google's Python package that wraps BigQuery, Spanner, Postgres, etc.
# WHY: Use this if you need connection pooling or custom SQL templating
pip install mcp-toolbox-for-databases

# CHUNK 2 — Create toolbox_config.yaml
# WHAT: Declarative config that maps data sources to MCP tool sets
# GOTCHA: The YAML indentation is significant; use spaces, not tabs
toolbox_config.yaml (MCP Toolbox approach)
# CHUNK 1 — Declare the BigQuery data source
# WHAT: Tells MCP Toolbox which GCP project and region to connect to
# WHY: You can define multiple sources (prod vs dev) in the same file
sources:
  my_bq_source:
    kind: bigquery
    project: my-gcp-project
    location: US

# CHUNK 2 — Define which tools Gemini gets access to
# WHAT: toolsets control which source-level operations are exposed as MCP tools
# GOTCHA: Omitting a toolset means Gemini has no BigQuery tools at all
toolsets:
  bq_tools:
    - source: my_bq_source

Real Workflows After Connecting

WORKFLOW 1 Schema exploration
What tables are in the `analytics` dataset? Show me the schema for the `events` table, including column descriptions if present.
Dataset `analytics` contains 7 tables:
  • events — 2.1B rows, partitioned by event_date, clustered by user_id, event_name
  • users — 4.2M rows, partitioned by created_date
  • orders, sessions, page_views, funnel_steps, ab_experiments
Schema: analytics.events
  • event_date DATE — Partition column. Date the event occurred (UTC).
  • event_timestamp TIMESTAMP — Microsecond precision event time.
  • user_id STRING — Hashed user identifier. Null for anonymous sessions.
  • event_name STRING — e.g. "page_view", "add_to_cart", "purchase"
  • event_params ARRAY<STRUCT> — Key-value event parameters. Use UNNEST() to query.
WORKFLOW 2 SQL generation & execution
Write a BigQuery query to find the top 10 users by total revenue in the last 30 days, joining the events and users tables. Run it and show me the results.
Generated query:
SELECT u.user_id, u.email, SUM(o.revenue_usd) AS total_revenue
FROM `my-gcp-project.analytics.orders` o
JOIN `my-gcp-project.analytics.users` u USING (user_id)
WHERE o.event_date >= DATE_SUB(CURRENT_DATE(), INTERVAL 30 DAY)
GROUP BY u.user_id, u.email
ORDER BY total_revenue DESC
LIMIT 10
Query results (10 rows, 2.3 GB processed, 1.2s):

Top user: user_8821 — $48,204 total revenue. Median top-10 revenue: $19,670. These 10 users represent 3.2% of your user base but 22% of 30-day revenue.

WORKFLOW 3 Anomaly detection
Check our `analytics.events` data for the past week. Are there any anomalies in daily page_view counts compared to the previous 4 weeks? Flag any days more than 2 standard deviations from the baseline.
ANOMALY June 7, 2026: 1.2M page views vs. 4-week baseline of 2.1M (−43%). This is 3.8 standard deviations below normal. Likely causes: weekend + possible data pipeline gap.

All other 6 days: NORMAL within ±1.2 std devs of the 4-week mean. No other anomalies detected.

WHAT: Gemini generated and executed a statistical analysis query (using BigQuery's STDDEV_POP window function) entirely autonomously. WHY: You didn't need to know the correct aggregation syntax — you described the analysis, Gemini wrote the SQL, ran it, and interpreted the output. GOTCHA: BigQuery charges for data scanned. Use the --maximum_bytes_billed flag (see Cost section) to cap accidental full-table scans.
Animation — BigQuery Round-Trip: Prompt → MCP → BigQuery → Gemini Interprets
You: "Find top 10 users by revenue last 30 days"
waiting
Gemini calls: bigquery.list_tables(dataset="analytics")
waiting
Gemini calls: bigquery.get_table_schema(table="orders")
waiting
Gemini generates JOIN query with correct column names
waiting
Gemini calls: bigquery.run_query(sql=...) → 10 rows returned
waiting
Gemini interprets results → "Top 10 = 22% of revenue"
waiting

What Just Happened?

Gemini made three separate MCP tool calls before writing a single line of SQL: it listed tables, fetched the schema, and only then generated a query it knew would work. This is the key difference from copy-pasting a schema: Gemini always has the current schema, never hallucinates column names, and can iterate if the first query returns unexpected results.

BigQuery handles your data warehouse. The same MCP pattern applies to Cloud Storage for file-based workflows — and the prompts look just as natural.

Cloud Storage MCP

GEMINI.md — add GCS MCP server
## MCP Servers

- name: gcs
  command: npx
  args:
    - "-y"
    - "@google/mcp-server-gcs"
    - "--project"
    - "my-gcp-project"

Use Cases

List & Summarize

List all objects in gs://my-bucket/exports/ and summarize what file types and date ranges are present

Config Audit

Read gs://config-bucket/prod/config.json and check for deprecated settings or missing required keys

IAM Diagnosis

I'm getting 403 errors on gs://my-bucket. Check the bucket IAM policy and tell me what role is missing

Cross-env Diff

Compare gs://config/staging/app.yaml and gs://config/prod/app.yaml — what's different?

PROMPT Config audit across environments
Read gs://my-config-bucket/prod/config.json and gs://my-config-bucket/staging/config.json. Show me every key that differs between them and flag any deprecated settings (anything with a key name containing "legacy" or "deprecated").
Differences found (4 keys):
  • DIFF database.max_connections: prod=100, staging=25
  • DIFF cache.ttl_seconds: prod=3600, staging=300
  • DEPRECATED legacy_auth_enabled: prod=false, staging=true — this key is deprecated; staging config still has it set to true
  • DEPRECATED deprecated_rate_limit: present in staging only — not in prod config at all

Recommendation: Remove legacy_auth_enabled and deprecated_rate_limit from staging config. Both are omitted from prod correctly.

Headless File Processing

For batch workflows, use Gemini CLI in non-interactive mode to process files in GCS from a script or CI step:

# WHAT: Run Gemini CLI headlessly to process GCS files in a CI/automation context
# WHY: --no-interactive suppresses the REPL so output can be piped or redirected
# GOTCHA: Requires GEMINI.md with gcs MCP configured in the working directory
gemini -p "Read gs://my-bucket/reports/*.csv and produce a JSON summary with total row counts and date ranges per file" --no-interactive | Out-File -FilePath summary.json
# WHAT: Same headless execution pattern for bash/CI environments
# WHY: Gemini output can be piped to jq, saved to files, or used in scripts
gemini -p "Read gs://my-bucket/reports/*.csv and produce a JSON summary with total row counts and date ranges per file" --no-interactive > summary.json
WHAT: -p passes the prompt directly without opening an interactive session. --no-interactive ensures Gemini CLI exits after the first response rather than waiting for more input. GOTCHA: Glob patterns in GCS paths (*.csv) are resolved by the MCP server, not your shell. Quote the entire path to avoid shell expansion.
Reading files is powerful. But the real operational leverage comes when Gemini can act on your running services — Cloud Run MCP makes that possible.

Cloud Run MCP

GEMINI.md — add Cloud Run MCP server
## MCP Servers

- name: cloudrun
  command: npx
  args:
    - "-y"
    - "@google/mcp-server-cloudrun"
    - "--project"
    - "my-gcp-project"
    - "--region"
    - "us-central1"

Incident Response Workflow

WORKFLOW 1 Diagnose a 500 error spike
My service 'api-prod' is returning 500s. Get the last 50 error logs and diagnose the root cause. Check if it started with the most recent revision.
Fetching last 50 ERROR logs for api-prod...
  • ERROR ECONNREFUSED connecting to redis:6379 — 48 occurrences since 14:23 UTC
  • ERROR Request timeout (5s) on /api/cart/checkout — 2 occurrences
Root cause diagnosis: The current revision (api-prod-00047-xyz) was deployed at 14:21 UTC. The Redis connection errors began 2 minutes later. This revision's container config references REDIS_HOST=redis:6379 but the internal DNS for the Redis service was recently renamed to redis-cache:6379. The previous revision did not have this error.

Recommended fix: Update the REDIS_HOST env var to redis-cache:6379 in the Cloud Run service config and deploy a new revision. Or roll back to api-prod-00046 immediately.

WORKFLOW 2 Deploy a new revision with traffic split
Deploy a new revision of 'api-prod' from image gcr.io/my-project/api:v2.1.0 with 512MB memory and 2 CPU. Start with 10% traffic and monitor for 5 minutes before deciding.
Deploying api-prod from gcr.io/my-project/api:v2.1.0...
  • Memory: 512Mi — CPU: 2 — Min instances: 1 — Max instances: 100
  • New revision: api-prod-00048-abc (deployed in 47s)
  • Traffic split: 90% → api-prod-00047-xyz (stable) / 10% → api-prod-00048-abc (new)

Monitoring error rates for 5 minutes... New revision error rate: 0.02% vs. stable: 0.03%. Latency p99: 180ms vs. 220ms. New revision is healthier. Reply "promote" to shift 100% traffic, or "rollback" to revert.

⚠️
Alert Fires
Error rate spike detected in Cloud Monitoring
🤖
Gemini + Cloud Run MCP
Fetch logs, diagnose root cause, identify which revision
🔧
Fix + Deploy
Deploy corrected revision or roll back previous
Verify
Check error rates stabilize on new revision
Why It Matters

A typical Cloud Run incident response with manual gcloud commands takes 12-18 minutes: fetching logs, reading revision history, identifying the change, deploying a fix. The same workflow via Cloud Run MCP takes 2-3 minutes because Gemini drives all the gcloud commands and interprets the outputs. At 3 AM during an on-call incident, that time difference is significant.

Cloud Run handles your services. Pub/Sub handles the messages flowing between them — and the MCP integration makes queue health visible in plain English.

Pub/Sub MCP

GEMINI.md — add Pub/Sub MCP server
## MCP Servers

- name: pubsub
  command: npx
  args:
    - "-y"
    - "@google/mcp-server-pubsub"
    - "--project"
    - "my-gcp-project"
Technical Definition — What Pub/Sub MCP Exposes

Pub/SubGoogle Cloud Pub/Sub is an asynchronous messaging service. Publishers send messages to named topics; subscribers pull from or receive push-delivered messages via subscriptions. It decouples services that produce events from services that consume them, and buffers messages during downstream outages. MCP exposes tools for: listing topics and subscriptions, reading unacked message counts, pulling messages from a subscription (for inspection), and publishing test messages to topics. It does not expose destructive operations like deleting topics by default — you need to explicitly enable those in the server config.

Health Check

List all Pub/Sub topics and show unacked message counts for each subscription

Backlog Diagnosis

My 'payment-events' subscription has 50,000 unacked messages. What should I investigate first?

Test Event

Publish a test event to 'user-signup-topic' with payload {"user_id": "test-123"}

Dead Letter Audit

Check the 'orders-dlq' dead letter queue. Pull the last 5 messages and explain why they failed

PROMPT Diagnosing a Pub/Sub backlog
My 'payment-events' subscription has 50,000 unacked messages building up over the past 2 hours. What should I investigate?
Subscription stats: payment-events
  • Unacked message count: 52,341 (growing — +1,200 in last 5 min)
  • Oldest unacked message age: 2h 14min
  • Subscriber pull rate: 0 messages/sec (subscriber is not pulling)
Diagnosis: The subscriber is not consuming messages. The backlog started at approximately 14:05 UTC. Possible causes:
  • The consuming service crashed or is OOM-killed (check Cloud Run logs for payment-processor service)
  • The subscriber's ack deadline (default: 10s) is too short for slow processing, causing repeated redelivery
  • Authentication error on the subscriber side (check IAM: it needs roles/pubsub.subscriber)

Immediate action: Check Cloud Run service "payment-processor" logs. If it's healthy, increase the ack deadline to 60s and re-check in 5 minutes.

WHAT: The Pub/Sub MCP server called subscriptions.get to read the backlog stats and subscriptions.getIamPolicy to check subscriber permissions. Gemini synthesized these into a ranked list of root causes. GOTCHA: Pub/Sub's "oldest unacked message age" metric is the most reliable signal of subscriber health — message count alone can be misleading if messages are large.
Each MCP server is powerful alone. The real multiplier is running several at once and letting Gemini coordinate calls across them in a single prompt.

Multi-Service Compound Workflows

Registering multiple MCP servers in GEMINI.md lets Gemini route tool calls to the right service automatically. You describe the goal; Gemini figures out which combination of BigQuery, GCS, Cloud Run, and Pub/Sub calls to make.

GEMINI.md — multi-service configuration
## MCP Servers

- name: bigquery
  command: npx
  args: ["-y", "@google/mcp-server-bigquery", "--project", "my-project"]

- name: gcs
  command: npx
  args: ["-y", "@google/mcp-server-gcs", "--project", "my-project"]

- name: cloudrun
  command: npx
  args: ["-y", "@google/mcp-server-cloudrun", "--project", "my-project", "--region", "us-central1"]

Compound Workflow 1 — ETL Pipeline Debugging

COMPOUND PROMPT 3-service pipeline audit
My ETL pipeline ran last night. Check these three things: 1. Did the Cloud Run job 'etl-nightly' complete successfully? (check last run logs) 2. Were output files written to gs://my-bucket/exports/2026-06-10/? 3. Did the BigQuery load succeed? Check analytics.daily_summary has a row for today. Tell me which step failed and why.
Step 1 — Cloud Run job 'etl-nightly': PASSED Last run completed at 03:47 UTC with exit code 0. Processing time: 12m 34s.

Step 2 — GCS output files: FAILED Directory gs://my-bucket/exports/2026-06-10/ does not exist. Found 2026-06-09/ (yesterday) but no 2026-06-10/ prefix. The ETL job completed but wrote files to the wrong date partition.

Step 3 — BigQuery load: FAILED analytics.daily_summary has no row for 2026-06-10. The BigQuery load step depends on the GCS files existing — it skipped because Step 2 failed.

Root cause: The ETL Cloud Run job wrote output to 2026-06-09 instead of 2026-06-10. Likely a timezone bug — the container's TZ is UTC+0 but the partition date logic uses system local time. Check the TARGET_DATE env var in the job definition.

Compound Workflow 2 — Release Validation

COMPOUND PROMPT Deployment health check
I just deployed api-v2.1.0 to Cloud Run 15 minutes ago. 1. Get the last 100 requests from Cloud Run logs for 'api-prod' 2. Query BigQuery analytics.api_errors for errors in the last 15 minutes 3. Compare error rate to yesterday's same 15-minute window Is the new deployment healthy?
Cloud Run logs (last 100 requests): 2 errors (2% error rate) — both are 404s on /api/v1/legacy-endpoint, not 500s.

BigQuery analytics.api_errors (last 15 min): 2 rows matching the same 404 pattern.

Yesterday 14:00–14:15 UTC baseline: 0 errors. These 404s are new with v2.1.0.

Verdict: INVESTIGATE The deployment is healthy for the new API surface (no 500s, latency normal). However v2.1.0 appears to have removed /api/v1/legacy-endpoint without a redirect. If clients are calling that path, they'll receive 404s. Check if any active clients use it before promoting to 100% traffic.

Animation — Multi-MCP Orchestration: One Prompt → Parallel Tool Calls → Merged Answer
You: "ETL ran last night. Did Cloud Run complete? Are GCS files there? Did BigQuery load succeed?"
Cloud Run MCP
get_job_runs("etl-nightly")
GCS MCP
list_objects("exports/2026-06-10/")
BigQuery MCP
run_query("SELECT ... WHERE date='2026-06-10'")
▼ Gemini merges 3 results into one coherent answer ▼
Step 1: PASSED (Cloud Run exit 0)  |  Step 2: FAILED (wrong date partition)  |  Step 3: SKIPPED (depends on Step 2)

What Just Happened?

Gemini dispatched tool calls to three separate MCP servers, received independent results, and synthesized them into a single coherent answer with a root cause and recommended fix. From your perspective: one prompt. From Gemini's perspective: a mini orchestration run across your entire infrastructure stack.

Checkpoint — You Now Have a Natural-Language Infrastructure Console

With BigQuery, GCS, Cloud Run, and Pub/Sub MCP servers registered, Gemini CLI can answer questions about your entire Google Cloud stack without you running a single gcloud command. The GEMINI.md config file is the only thing connecting the model to your infrastructure — commit it to version control so your whole team benefits.

Cloud infrastructure is the highest-leverage use case, but the MCP ecosystem extends to Google's other APIs too — including Maps and YouTube for customer-facing data work.

Maps & YouTube MCP

These MCP servers use API keysAPI keys are simple bearer tokens used by Google Maps Platform and YouTube Data API. Unlike ADC, they are tied to specific APIs and billed per request. Always restrict your API key to specific APIs and referrer/IP in the Google Cloud Console to prevent misuse. rather than ADC — set them in your environment before starting the MCP server.

Google Maps Platform MCP

## MCP Servers

- name: maps
  command: npx
  args:
    - "-y"
    - "@google/mcp-server-maps"
    - "--api-key"
    - "${GOOGLE_MAPS_API_KEY}"
# PowerShell — set for current session
$env:GOOGLE_MAPS_API_KEY = "AIzaSy..."

# Or set permanently in user profile
[Environment]::SetEnvironmentVariable("GOOGLE_MAPS_API_KEY", "AIzaSy...", "User")
Bulk Geocoding

Geocode all 500 addresses in this CSV and add latitude/longitude columns

Nearest Location

Given this list of 20 service centers, find the 3 nearest to zip code 94107

Route Optimization

Calculate driving time between these 10 depot-to-customer pairs for today's delivery schedule

Address Validation

Check this customer address list for invalid or ambiguous entries before loading to CRM

YouTube Data API MCP

GEMINI.md — YouTube MCP
## MCP Servers

- name: youtube
  command: npx
  args:
    - "-y"
    - "@google/mcp-server-youtube"
    - "--api-key"
    - "${GOOGLE_YOUTUBE_API_KEY}"
Competitor Analysis

Get the last 20 videos from channels A, B, and C. Which topics are getting the most views?

Performance Trends

Show views, likes, and comment counts for my channel's last 50 videos. What's trending up?

Bulk Metadata

Update descriptions for all videos in playlist "Product Demos" to include our new CTA text

Search Intent

What are the top 10 YouTube videos for "kubernetes debugging"? Summarize the content gaps

Gotcha — API Key vs. ADC

Maps and YouTube use simple API keys, not ADC. This means they bypass IAM role restrictions — the key has access to whatever APIs it's enabled for. Always restrict your API key in the Google Cloud Console to only the Maps/YouTube APIs you need, and set application restrictions (HTTP referrer or IP range). Never commit API keys to version control — use environment variables or a secrets manager.

With multiple MCP servers running, the question isn't whether you can use them — it's how to use them without an unexpected $800 BigQuery bill at the end of the month.

Cost, Quotas & Best Practices

Per-Service Cost Profile

Service What's Billed Safety Mechanism
BigQuery Data scanned per query ($6.25/TB). Even a schema introspection query scans some data. --maximum_bytes_billed flag on the MCP server
Cloud Run Reads/logs are free. Deployments count toward Cloud Run invocations ($0.40/million). IAM: restrict to roles/run.developer not admin
Cloud Storage List and read operations ($0.004/10k ops). Large file reads count as Class B ops. Use a read-only service account for GCS MCP
Pub/Sub Message delivery ($0.04/GB). MCP pull operations count as subscriber pulls. Limit max_messages in pull config
Maps Platform Per-request billing ($0.005–$0.017 depending on API). No free tier for bulk use. Set daily quota limit in Cloud Console
YouTube Data API Unit-based quota (10,000 units/day free). Search costs 100 units/request. Monitor quota usage in Cloud Console dashboard

BigQuery Cost Guard

GEMINI.md — BigQuery with cost cap
## MCP Servers

- name: bigquery
  command: npx
  args:
    - "-y"
    - "@google/mcp-server-bigquery"
    - "--project"
    - "my-gcp-project"
    - "--location"
    - "US"
    - "--maximum_bytes_billed"
    - "10737418240"   # 10 GB cap — queries scanning more than this will fail safely
WHAT: --maximum_bytes_billed sets a per-query limit. Any query that would scan more than 10 GB returns an error instead of running. WHY: Accidental full-table scans on a 50-TB table would cost $312. This flag caps your exposure. GOTCHA: Set the limit in bytes, not gigabytes. 1 GB = 1,073,741,824 bytes.

Minimum-Privilege IAM Setup

Create a dedicated service account for your MCP servers and grant only the roles each service actually needs:

# CHUNK 1 — Create a dedicated service account for MCP servers
# WHAT: One SA for all MCP servers, minimal privilege
# WHY: If credentials are ever leaked, the blast radius is limited
$PROJECT = "my-gcp-project"
$SA_NAME = "gemini-mcp-agent"
gcloud iam service-accounts create $SA_NAME `
  --display-name "Gemini CLI MCP Agent" `
  --project $PROJECT

$SA_EMAIL = "$SA_NAME@$PROJECT.iam.gserviceaccount.com"

# CHUNK 2 — Grant BigQuery read + job run (but not write)
# WHAT: Data Viewer lets the SA read tables/schemas; Job User lets it run queries
# GOTCHA: Do NOT grant BigQuery Admin or Data Editor unless you need writes
gcloud projects add-iam-policy-binding $PROJECT `
  --member "serviceAccount:$SA_EMAIL" `
  --role "roles/bigquery.dataViewer"
gcloud projects add-iam-policy-binding $PROJECT `
  --member "serviceAccount:$SA_EMAIL" `
  --role "roles/bigquery.jobUser"

# CHUNK 3 — Grant GCS read-only
gcloud projects add-iam-policy-binding $PROJECT `
  --member "serviceAccount:$SA_EMAIL" `
  --role "roles/storage.objectViewer"

# CHUNK 4 — Grant Cloud Run developer (not admin)
# WHAT: Developer can deploy and view logs but cannot delete services
gcloud projects add-iam-policy-binding $PROJECT `
  --member "serviceAccount:$SA_EMAIL" `
  --role "roles/run.developer"

# CHUNK 5 — Download the key and set ADC
gcloud iam service-accounts keys create gemini-mcp-key.json `
  --iam-account $SA_EMAIL
$env:GOOGLE_APPLICATION_CREDENTIALS = "C:/keys/gemini-mcp-key.json"
PROJECT="my-gcp-project"
SA_NAME="gemini-mcp-agent"
SA_EMAIL="$SA_NAME@$PROJECT.iam.gserviceaccount.com"

# Create service account
gcloud iam service-accounts create $SA_NAME \
  --display-name "Gemini CLI MCP Agent" \
  --project $PROJECT

# BigQuery: read schemas + run queries (no writes)
gcloud projects add-iam-policy-binding $PROJECT \
  --member "serviceAccount:$SA_EMAIL" \
  --role "roles/bigquery.dataViewer"
gcloud projects add-iam-policy-binding $PROJECT \
  --member "serviceAccount:$SA_EMAIL" \
  --role "roles/bigquery.jobUser"

# Cloud Storage: read only
gcloud projects add-iam-policy-binding $PROJECT \
  --member "serviceAccount:$SA_EMAIL" \
  --role "roles/storage.objectViewer"

# Cloud Run: deploy + logs, not delete
gcloud projects add-iam-policy-binding $PROJECT \
  --member "serviceAccount:$SA_EMAIL" \
  --role "roles/run.developer"

# Download key and set ADC
gcloud iam service-accounts keys create ~/keys/gemini-mcp-key.json \
  --iam-account $SA_EMAIL
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/keys/gemini-mcp-key.json"

Recommended IAM Roles by Service

MCP Server Minimum Read-Only Role Role to Add for Writes/Deploy
BigQuery roles/bigquery.dataViewer + roles/bigquery.jobUser roles/bigquery.dataEditor (for INSERT/UPDATE)
Cloud Storage roles/storage.objectViewer roles/storage.objectAdmin (for write/delete)
Cloud Run roles/run.viewer roles/run.developer (for deploy)
Pub/Sub roles/pubsub.viewer roles/pubsub.publisher + roles/pubsub.subscriber
Windows Gotcha — Credential Path Backslashes

When setting GOOGLE_APPLICATION_CREDENTIALS in PowerShell, Windows path backslashes can cause parsing errors in some SDKs. Use forward slashes: $env:GOOGLE_APPLICATION_CREDENTIALS = "C:/keys/gemini-mcp-key.json". Alternatively, use a raw string: [Environment]::SetEnvironmentVariable(...). This affects both the npm-based MCP servers and the Python MCP Toolbox.

Best Practice — Separate SA per Environment

Use different service accounts for dev, staging, and prod GEMINI.md configs. Your dev SA should have read-only access to dev datasets; your prod SA should have the minimal roles needed for production operations. Store each key in your environment's secret manager (Secret Manager, 1Password, or CI secrets), not on local disk.

Knowledge Check

Six questions on Google Cloud MCP servers.

1. What command sets up Application Default Credentials for local Gemini CLI MCP use on Windows?

A
Set the GEMINI_GCLOUD_KEY environment variable to your service account JSON path
B
gcloud auth application-default login after installing the gcloud CLI
C
Add an auth_token field to GEMINI.md under each MCP server entry
D
Run gemini auth gcloud --login within the Gemini CLI REPL
Correct! gcloud auth application-default login writes a credentials file that every Google Cloud SDK (including all MCP servers) automatically detects. You run it once and all MCP servers pick it up without any per-server configuration.
ADC is set up with gcloud auth application-default login. This creates a local credentials file that all Google Cloud SDKs (and therefore all Google Cloud MCP servers) read automatically. No API key or per-server config is needed for ADC.

2. How do you add the BigQuery MCP server to a project's GEMINI.md to connect to the "my-project" GCP project?

A
Add bigquery: true under a google_cloud: section in GEMINI.md
B
Run gemini extensions install bigquery --project my-project
C
Add an MCP Servers entry with command: npx, args: ["-y", "@google/mcp-server-bigquery", "--project", "my-project"]
D
Add a BIGQUERY_PROJECT=my-project environment variable and restart Gemini CLI
Correct! Google Cloud MCP servers are registered in GEMINI.md under "## MCP Servers" as npx commands. Each server is its own process started by Gemini CLI, with the project and other config passed as command-line arguments.
Google Cloud MCP servers are registered as npx entries in the "## MCP Servers" section of GEMINI.md. There is no gemini extensions install command for Cloud services — they run as standalone npx processes specified in GEMINI.md.

3. What are the two minimum IAM roles the BigQuery MCP service account needs to run queries (not write data)?

A
roles/bigquery.admin and roles/bigquery.dataOwner
B
roles/bigquery.dataEditor and roles/bigquery.user
C
roles/bigquery.dataViewer and roles/bigquery.jobUser
D
roles/bigquery.readSessionUser alone is sufficient
Correct! bigquery.dataViewer allows reading table data and schemas. bigquery.jobUser allows creating and running query jobs. Both are needed: Viewer without JobUser means you can see the schema but can't execute queries.
The minimum read-only roles are roles/bigquery.dataViewer (to read table schemas and data) and roles/bigquery.jobUser (to run query jobs). Admin and dataOwner grant far more permissions than needed and violate least-privilege.

4. What flag prevents the BigQuery MCP server from running a query that would scan more than a specified amount of data?

A
--max-scan-gb
B
--dry-run
C
--maximum_bytes_billed
D
--query-budget
Correct! --maximum_bytes_billed is passed as a command-line argument to the @google/mcp-server-bigquery npx command in GEMINI.md. Queries that would scan more than this byte limit return an error instead of executing, protecting you from accidental full-table scan costs.
The flag is --maximum_bytes_billed (in bytes, not gigabytes). It's passed as an argument to the @google/mcp-server-bigquery npx command in GEMINI.md. A 10 GB limit = 10,737,418,240 bytes.

5. Your Cloud Run service 'api-prod' is returning 500 errors. Which MCP server would you use to fetch the recent error logs and diagnose the root cause?

A
The BigQuery MCP server (Cloud Logging exports logs to BigQuery by default)
B
The Cloud Storage MCP server (logs are written to GCS buckets)
C
The Cloud Run MCP server (@google/mcp-server-cloudrun)
D
No MCP server is needed — use the /gcalendar Workspace command
Correct! The Cloud Run MCP server exposes tools to fetch service logs, list revisions, check revision status, and compare error rates across deployments. It queries the Cloud Logging API for the specific service's logs directly.
The Cloud Run MCP server (@google/mcp-server-cloudrun) has direct access to Cloud Run service logs, revision history, and deployment status. BigQuery and GCS are not the right tools for live service log access.

6. You configure BigQuery, GCS, and Cloud Run MCP servers in one GEMINI.md. You ask: "Did my ETL job complete and write its output files?" Which best describes what happens?

A
Gemini asks you to specify which MCP server to use for each part of the question
B
Gemini only uses the first MCP server listed in GEMINI.md for any given prompt
C
Gemini automatically routes tool calls to the appropriate MCP servers (Cloud Run for job logs, GCS for file listing) and synthesizes the results into one answer
D
Gemini runs all MCP servers sequentially and returns the output from whichever responds last
Correct! When multiple MCP servers are registered, Gemini automatically selects the right tool for each sub-question. For "did the ETL job complete?" it calls Cloud Run MCP. For "are the files there?" it calls GCS MCP. It then merges both results into a single coherent answer.
Gemini automatically routes each part of a compound question to the appropriate MCP server. You don't specify which server to use — Gemini decides based on the available tool descriptions and the nature of each sub-question, then merges all results.