To more strongly embrace the success and growing customer preference for OSS solutions, Cloud Composer is evolving to become Managed Service for Apache Airflow . This name change provides improved customer understanding of our portfolio while reinforcing our commitment to being the most open cloud ecosystem.

Use the Cloud Composer remote MCP server

Cloud Composer 3 | Cloud Composer 2 | Cloud Composer 1

This document describes how to use the Cloud Composer remote Model Context Protocol (MCP) server to connect to Cloud Composer from AI applications such as Gemini CLI, ChatGPT, Claude, or in AI applications that you're developing. The Cloud Composer MCP server lets you manage Cloud Composer environments and get details about executed DAG runs and Airflow tasks.

Model Context Protocol (MCP) standardizes how large language models (LLMs) and AI applications or agents connect to external data sources. MCP servers let you use their tools, resources, and prompts to take actions and get updated data from their backend service.

What's the difference between local and remote MCP servers?

Local MCP servers: Typically run on your local machine and use the standard input and output streams (stdio) for communication between services on the same device.
Remote MCP servers: Run on the service's infrastructure and offer an HTTP endpoint to AI applications for communication between the AI MCP client and the MCP server. For more information about MCP architecture, see MCP architecture .

Google and Google Cloud remote MCP servers

Google and Google Cloud remote MCP servers have the following features and benefits:

Simplified, centralized discovery.
Managed global or regional HTTP endpoints.
Fine-grained authorization.
Optional prompt and response security with Model Armor protection.
Centralized audit logging.

For information about other MCP servers and information about security and governance controls available for Google Cloud MCP servers, see Google Cloud MCP servers overview .

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

Go to project selector

If you're using an existing project for this guide, verify that you have the permissions required to complete this guide . If you created a new project, then you already have the required permissions.

Enable the Cloud Composer API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

Enable the API

Install the Google Cloud CLI.

Note:If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update .

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Roles required to select or create a project

Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

Go to project selector

Enable the Cloud Composer API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

Enable the API

Install the Google Cloud CLI.

Note:If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update .

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

To initialize the gcloud CLI, run the following command:

gcloud  
init

Required roles

To get the permissions that you need to enable the Cloud Composer MCP server, ask your administrator to grant you the following IAM roles on the project where you want to enable the Cloud Composer MCP server:

Service Usage Admin ( roles/serviceusage.serviceUsageAdmin )
Make MCP tool calls: MCP Tool User ( roles/mcp.toolUser )

For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

Authentication and authorization

The Cloud Composer remote MCP server uses the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

We recommend that you create a separate identity for agents that are using MCP tools so that access to resources can be controlled and monitored. For more information about authentication, see Authenticate to MCP servers .

Cloud Composer MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs .

Cloud Composer has the following MCP tool OAuth scopes:

Scope URI for gcloud CLI	Description
`https://www.googleapis.com/auth/cloudcomposer.readonly`	Only allows access to read data.
`https://www.googleapis.com/auth/cloudcomposer`	Allows access to read and modify data.

Configure an MCP client to use the Cloud Composer MCP server

AI applications and agents, such as Claude or Gemini CLI, can instantiate an MCP client that connects to a single MCP server. An AI application can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client must know the remote MCP server's URL.

In your AI application, look for a way to connect to a remote MCP server. You are prompted to enter details about the server, such as its name and URL.

For the Cloud Composer MCP server, enter the following as required:

Server name: Cloud Composer MCP server
Endpoint: composer.{region}.rep.googleapis.com/mcp
Transport: HTTP
Authentication details: Depending on how you want to authenticate, you can enter your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials. For more information about authentication, see Authenticate to MCP servers .
OAuth scope: the OAuth 2.0 scope that you want to use when connecting to the Cloud Composer MCP server.

For host-specific guidance about setting up and connecting to MCP server, see the following:

For more general guidance, see the following resources:

Available tools

MCP tools that are read-only have the MCP attribute mcp.tool.isReadOnly set to true . You might want to only allow read-only tools in certain environments through your organization policy.

To view details of available MCP tools and their descriptions for the Cloud Composer MCP server, see the Cloud Composer MCP reference .

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Cloud Composer remote MCP server. The tools/list method doesn't require authentication.

 POST /mcp HTTP/1.1
Host: composer.{region}.rep.googleapis.com/mcp
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list",
}

Example use cases

The following are example use cases for the Cloud Composer MCP server:

Describe environment status

In this sample use case, you ask questions about environments in your project.

Find all Cloud Composer environments in us-central1 that aren't in the running state at the moment. If any of them are in the error state, tell me the time when this environment was last updated and the environment's workloads configuration.

Workflow: Describing Cloud Composer environments might look like the following.

View the environments list: The agent uses list_environments to obtain the list of environments in the specified region, along with information about the last update time.

Create a new Cloud Composer environment with custom PyPI packages

In this sample use case, you create a new Cloud Composer environment and then install custom PyPI packages into it.

Sample prompt:

Create a new Cloud Composer 3 environment with Airflow 2 in my project. Then install the nltk[machine_learning] package to it. Use the example-account@example-project.iam.gserviceaccount.com service account for the environment.

Workflow: Creating a new Cloud Composer environment and then installing custom PyPI packages into it might look like the following.

Create an environment: The agent uses create_environment to create a new environment with the provided configuration parameters. The agent asks about additional configuration parameters such as the list of IP addresses that are allowed to access the Airflow UI.
Install packages: The agent calls manage_pypi_packages to install the specified PyPI package.

Trobuleshooting failed DAG runs and tasks

Check the example-environment-name Cloud Composer environment in us-central1. The example_dag is failing, and I want to know why and at which task specifically. Also tell me about any other DAGs that failed in this environment in the past 24 hours.

Workflow: Troubleshooting failed DAG runs might look like the following.

Get failed DAG runs: The agent uses find_last_failed_dag_runs to obtain the list of failed DAG runs for the example_dag DAG in the specified environment. The agent uses the same tool to obtain the list of all failed DAG runs.
Inspect the failed DAG run: The agent calls list_failed_task_instances to get the list of task instances of the DAG run that are in the failed state.
Analyze failed task logs: The agent uses get_task_instance to obtain the details of the failed task instance, including data required to retrieve logs.
Inspect the DAG source code: The agent uses get_dag_source_code to analyze the failed task source code for errors.

Optional security and safety configurations

MCP introduces new security risks and considerations due to the wide variety of actions that you can do with the MCP tools. To minimize and manage these risks, Google Cloud offers default settings and customizable policies to control the use of MCP tools in your Google Cloud organization or project.

For more information about MCP security and governance, see AI security and safety .

Use Model Armor

Model Armor is a Google Cloud service that's designed to enhance the security and safety of your AI applications. It works by proactively screening LLM prompts and responses, protecting against various risks and supporting responsible AI practices. Whether you deploy AI in your cloud environment, or on external cloud providers, Model Armor can help you prevent malicious input, verify content safety, protect sensitive data, maintain compliance, and enforce your AI safety and security policies consistently across your diverse AI landscape.

Model Armor is only available in specific regional locations. If Model Armor is enabled for a project, and a call to that project comes from an unsupported region, Model Armor makes a cross-regional call. For more information, see Model Armor locations .

Enable Model Armor

You must enable Model Armor APIs before you can use Model Armor.

Console

Enable the Model Armor API.

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

Enable the API
Select the project where you want to activate Model Armor.

gcloud

Before you begin, follow these steps using the Google Cloud CLI with the Model Armor API:

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Run the following command to set the API endpoint for the Model Armor service.
```
gcloud  
config  
 set 
  
api_endpoint_overrides/modelarmor  
 "https://modelarmor. LOCATION 
.rep.googleapis.com/" 
```
Replace LOCATION with the region where you want to use Model Armor.

Configure protection for Google and Google Cloud remote MCP servers

To help protect your MCP tool calls and responses you can use Model Armor floor settings. A floor setting defines the minimum security filters that apply across the project. This configuration applies a consistent set of filters to all MCP tool calls and responses within the project.

Set up a Model Armor floor setting with MCP sanitization enabled. For more information, see Configure Model Armor floor settings .

See the following example command:

gcloud  
model-armor  
floorsettings  
update  
 \ 
--full-uri = 
 'projects/ PROJECT_ID 
/locations/global/floorSetting' 
  
 \ 
--enable-floor-setting-enforcement = 
TRUE  
 \ 
--add-integrated-services = 
GOOGLE_MCP_SERVER  
 \ 
--google-mcp-server-enforcement-type = 
INSPECT_AND_BLOCK  
 \ 
--enable-google-mcp-server-cloud-logging  
 \ 
--malicious-uri-filter-settings-enforcement = 
ENABLED  
 \ 
--add-rai-settings-filters = 
 '[{"confidenceLevel": "MEDIUM_AND_ABOVE", "filterType": "DANGEROUS"}]'

Replace PROJECT_ID with your Google Cloud project ID.

Note the following settings:

INSPECT_AND_BLOCK : The enforcement type that inspects content for the Google MCP server and blocks prompts and responses that match the filters.
ENABLED : The setting that enables a filter or enforcement.
MEDIUM_AND_ABOVE : The confidence level for the Responsible AI - Dangerous filter settings. You can modify this setting, though lower values might result in more false positives. For more information, see Model Armor confidence levels .

Disable scanning MCP traffic with Model Armor

If you want to stop scanning Google MCP traffic with Model Armor, run the following command:

 gcloud  
model-armor  
floorsettings  
update  
 \ 
  
--full-uri = 
 'projects/ PROJECT_ID 
/locations/global/floorSetting' 
  
 \ 
  
--remove-integrated-services = 
GOOGLE_MCP_SERVER

Replace PROJECT_ID with the Google Cloud project ID.

Model Armor won't scan MCP traffic in the project.

Control MCP use with IAM deny policies

Identity and Access Management (IAM) deny policies help you secure Google Cloud remote MCP servers. Configure these policies to block unwanted MCP tool access.

For example, you can deny or allow access based on:

The principal
Tool properties like read-only
The application's OAuth client ID

For more information, see Control MCP use with Identity and Access Management .

What's next

Read the Cloud Composer MCP reference documentation .
Learn more about Google Cloud MCP servers .