Use the Resource Manager remote MCP server

Required roles

To get the permissions that you need to enable the Resource Manager MCP server, ask your administrator to grant you the Service Usage Admin ( roles/serviceusage.serviceUsageAdmin ) IAM role on the project where you want to enable the Resource Manager MCP server. For more information about granting roles, see Manage access to projects, folders, and organizations .

This predefined role contains the permissions required to enable the Resource Manager MCP server. To see the exact permissions that are required, expand the Required permissionssection:

Required permissions

The following permissions are required to enable the Resource Manager MCP server:

serviceusage.mcppolicy.get
serviceusage.mcppolicy.update

You might also be able to get these permissions with custom roles or other predefined roles .

Enable or disable the Resource Manager MCP server

You can enable or disable the Resource Manager MCP server in a project with the gcloud beta services mcp enable command. For more information, see the following sections.

Enable the Resource Manager MCP server in a project

If you are using different projects for your client credentials, such as service account keys, OAuth client ID or API keys, and for hosting your resources, then you must enable the Resource Manager service and the Resource Manager remote MCP server on both projects.

To enable the Resource Manager MCP server in your Google Cloud project, run the following command:

 gcloud  
beta  
services  
mcp  
 enable 
  
 SERVICE 
  
 \ 
  
--project = 
 PROJECT_ID

Replace the following:

PROJECT_ID : the Google Cloud project ID.
SERVICE : the global or regional service name for Resource Manager. For example, cloudresourcemanager.googleapis.com or cloudresourcemanager.us-central1.rep.googleapis.com . For available regions, see the Resource Manager MCP reference .

The Resource Manager remote MCP server is enabled for use in your Google Cloud Project. If the Resource Manager service isn't enabled for your Google Cloud project, you are prompted to enable the service before enabling the Resource Manager remote MCP server.

As a security best practice, we recommend that you enable MCP servers only for the services required for your AI application to function.

Disable the Resource Manager MCP server in a project

To disable the Resource Manager MCP server in your Google Cloud project, run the following command:

 gcloud  
beta  
services  
mcp  
disable  
 SERVICE 
  
 \ 
  
--project = 
 PROJECT_ID

The Resource Manager MCP server is disabled for use in your Google Cloud Project.

Authentication and authorization

Resource Manager MCP servers use the OAuth 2.0 protocol with Identity and Access Management (IAM) for authentication and authorization. All Google Cloud identities are supported for authentication to MCP servers.

We recommend creating a separate identity for agents using MCP tools so that access to resources can be controlled and monitored. For more information on authentication, see Authenticate to MCP servers .

Resource Manager MCP OAuth scopes

OAuth 2.0 uses scopes and credentials to determine if an authenticated principal is authorized to take a specific action on a resource. For more information about OAuth 2.0 scopes at Google, read Using OAuth 2.0 to access Google APIs .

Resource Manager has the following MCP tool OAuth scopes:

Scope URI for gcloud CLI	Description
`https://www.googleapis.com/auth/cloudresourcemanager.read-only`	Only allows access to read data.
`https://www.googleapis.com/auth/cloudresourcemanager.read-write`	Allows access to read and modify data.

Additional scopes might be required on the resources accessed during a tool call. To view a list of scopes required for Resource Manager, see Resource Manager API .

Configure an MCP client to use the Resource Manager MCP server

AI applications and agents, such as Claude or Gemini CLI, can instantiate an MCP client that connects to a single MCP server. An AI application can have multiple clients that connect to different MCP servers. To connect to a remote MCP server, the MCP client must know at a minimum the URL of the remote MCP server.

In your AI application, look for a way to connect to a remote MCP server. You are prompted to enter details about the server, such as its name and URL.

For the Resource Manager MCP server, enter the following as required:

Server name: Resource Manager MCP server
Server URLor Endpoint: cloudresourcemanager.googleapis.com/mcp
Transport: HTTP
Authentication details: Depending on how you want to authenticate, you can enter your Google Cloud credentials, your OAuth Client ID and secret, or an agent identity and credentials. For more information on authentication, see Authenticate to MCP servers .
OAuth scope: the OAuth 2.0 scope that you want to use when connecting to the Resource Manager MCP server.

For host specific guidance, see the following:

For more general guidance, see the following resources:

Available tools

MCP Tools that are read-only have the MCP attribute mcp.tool.isReadOnly set to true . You might want to only allow read-only tools in certain environments through your organization policy .

To view details of available MCP tools and their descriptions for the Resource Manager MCP server, see the Resource Manager MCP reference .

List tools

Use the MCP inspector to list tools, or send a tools/list HTTP request directly to the Resource Manager remote MCP server. The tools/list method doesn't require authentication.

 POST /mcp HTTP/1.1
Host: cloudresourcemanager.googleapis.com
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/list",
}

Sample use cases

The search_projects tool in the Resource Manager remote MCP server lets AI agents dynamically discover and identify all Google Cloud projects that you have the necessary permissions to access so they can execute commands in other tools.

The tool returns a structured list containing the project ID, project number, and the lifecycle state of the project. The following are sample use cases for the Resource Manager MCP server:

Resource inventory and accessibility audits: List and summarize the active cloud projects accessible to you.

User prompt: List all my active Google Cloud projects.

Agent action: The agent sends a search query to the MCP server to retrieve and display a summarized list of all active projects under your credentials.
Targeted parent-based searches: Retrieve projects located within a specific folder or organization to narrow the scope of a request.

User prompt: Find all projects under Folder 223.

Agent action: The agent executes a tool call with the query parent:folders/223 to return a list of projects within that administrative boundary.
Implicit context resolution: When you ask for information about a resource without providing a specific project ID, the agent can resolve the context automatically.

User prompt: Check the status of my 'payment-processor' service.

Agent action: The agent recognizes that a project_id is missing for the Cloud Run tool. It uses the search_projects tool to find projects with payment in the name, identifies likely projects (such as payment-prod-123 ), and asks you for confirmation before proceeding.
Environment-specific discovery: You can find projects filtered by specific environments or organizational structures without leaving the chat interface.

User prompt: Which projects do I have access to in the staging environment?

Agent action: The agent performs a search operation for all projects labeled or named staging that you have permission to view and returns the specific project IDs.

Customize LLM behavior

The search_projects tool is versatile, but LLMs might not always know when to query your Google Cloud hierarchy. To call the tool in specific scenarios, provide custom context in a Markdown file, for example, ~/.gemini/GEMINI.md or a project-level AGENTS.md .

What's next

Read the Resource Manager MCP reference documentation .
Learn more about Google Cloud MCP servers .