Happy slice of mcp pizzaMCP.pizza

mcp-sse-authenticated-cloud-run

MCP.Pizza Chef: the-freetech-company

mcp-sse-authenticated-cloud-run is an MCP server deployment hosted on Google Cloud Run that uses Google Cloud IAM for secure user-based authentication. It enables safe, authenticated access to an MCP SSE server over the internet, leveraging Cloud Run's managed infrastructure and IAM policies. This solution addresses current MCP authentication gaps by providing a network-layer security proxy, allowing teams to share MCP servers securely before native MCP auth features are finalized.

Use This MCP server To

Host MCP SSE server with secure IAM-based authentication Share MCP server access securely with team members over internet Deploy MCP server on scalable Google Cloud Run infrastructure Use Google Cloud SDK proxy for authenticated MCP client connections Enable secure real-time MCP context streaming with IAM policies

README

Host MCP SSE Server on Google Cloud Run

At the moment (03/04/2024) MCP is still addressing Authentication and Authorization. They plan to complete this in H1 2025. The issue is, I want to share my MCP server with my team NOW. So here we are. The only immediate answer to use a SSE MCP server in Cursor, etc.. right now is a network layer based solution (e.g., a proxy). Basic auth, api keys, forget about it.

Utilizing GCP Cloud Run and User Based IAM Authentication, I have created a simple, secure way to allow clients to access a custom MCP server over the internet.

MCP Roadmap

MCP Not Supported

How it works

The MCP server is hosted on Google Cloud Run. Utilizing Cloud Run IAM Authentication, we can securely connect to the server from the internet by utilizing the Google Cloud SDK to create a proxy connection.

TLDR README

This should work out of the box with minimal config if you already have docker and the gcloud CLI set up locally.

Step 1: Update deploy.sh with your project id, service account email, etc.

Step 2: On deploy success, grab the cloud run URL that was provided, and add it to mcp_proxy.ts along with your project id.

Step 3: Run the proxy npx ts-node mcp_proxy.ts Running proxy asking question

Step 3: Access your MCP server using http://localhost:3030 - Add it to Cursor under Settings > Features > MCP Servers (make sure you select SSE not command)

LONG BORING README

Deployment Steps

  1. Clone the repository
  2. Run npm install to install the dependencies
  3. Run npm run dev to start the server locally

Deployment to Google Cloud Run

To deploy your MCP server to Google Cloud Run:

  1. Make sure you have the Google Cloud SDK installed
  2. Update the deploy.sh script with your project details:
    • PROJECT_ID: Your Google Cloud project ID
    • REGION: Your preferred GCP region
    • SERVICE_ACCOUNT_EMAIL: The service account email with appropriate permissions
  3. Run the deployment script: 
    chmod +x deploy.sh
./deploy.sh

The deployment script will:

  • Build a Docker container for your MCP server
  • Push it to Google Container Registry
  • Deploy it to Cloud Run with authentication enabled

Connecting to your deployed MCP server

To connect to your deployed MCP server:

  1. Run the MCP proxy locally:

    npx ts-node mcp_proxy.ts

  2. The proxy will:

    • Check if you're authenticated with Google Cloud
    • Obtain authentication tokens automatically
    • Create a local proxy server (default: http://localhost:3030)
    • Forward authenticated requests to your Cloud Run service

  3. Configure your MCP client to connect to the local proxy URL

Use the MCP server in Cursor

  1. First, let's run our proxy to establish a connection between our local machine and the MCP server hosted on Google Cloud Run.
npx ts-node mcp_proxy.ts
  1. Now let's add our local proxy server to cursor within the Setting > Features tab in the MCP server section.

Adding proxy to cursor

Adding proxy to cursor

  1. Now, we're good to go! Start a new composer (ensure you are in agent mode) and ask what the weather is in a location. Your ouput in your terminal where the proxy is connected + the output of your composer should look like this:

Running proxy asking question

Security

This setup provides several security benefits:

  • Your MCP server is not publicly accessible without authentication
  • All connections are secured with Google Cloud IAM
  • Team members need Google Cloud SDK access to connect

Connection Issues

  • Verify the Cloud Run URL in mcp_proxy.ts matches your deployed service
  • Check Cloud Run logs for any server-side errors

Contributing

Contributions are welcome! Feel free to submit issues or pull requests.

License

MIT

mcp-sse-authenticated-cloud-run FAQ

How does IAM authentication work with this MCP server?
It uses Google Cloud Run's IAM to authenticate users, ensuring only authorized clients connect via secure proxy.
Can I use this MCP server without Google Cloud SDK?
No, the current setup requires Google Cloud SDK to create an authenticated proxy connection to the server.
Is this MCP server suitable for production use?
It is a secure interim solution ideal for team sharing but may lack full MCP auth features planned for 2025.
What are the benefits of hosting MCP on Cloud Run?
Cloud Run offers scalable, managed hosting with integrated IAM security and easy internet access.
Does this server support basic auth or API keys?
No, it relies solely on Google Cloud IAM authentication, as basic auth and API keys are not supported.
How do I configure client access to this MCP server?
Clients must use Google Cloud SDK to establish an authenticated proxy connection respecting IAM permissions.
Will this solution work with other cloud providers?
This implementation is specific to Google Cloud Run and IAM; other clouds require different setups.
What MCP features are currently unsupported?
Native MCP authentication and authorization are still in development and expected by mid-2025.