Cloud Run MCP transparent proxy (stdio <-> streamable HTTP)

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for logicoffee from gravatar.com logicoffee

Unverified details

These details have not been verified by PyPI
Meta
  • Requires: Python >=3.10
  • Provides-Extra: dev
Report project as malware

Project description

mcp-cloudrun-proxy

Transparent proxy for using an MCP server deployed on Cloud Run (Streamable HTTP) as a local stdio MCP server.

Access to Cloud Run uses IAM Invoker + ID Token (Bearer), and the proxy automatically refreshes expired tokens.

What It Does

  • Local side: acts as a stdio MCP server
  • Remote side: connects to a Streamable HTTP MCP server
  • Transparently relays JSON-RPC messages bidirectionally
  • Adds Authorization: Bearer <ID Token> to all requests
  • Refreshes tokens and retries/reconnects on 401/403

Prerequisites

  • Python 3.10+
  • A Cloud Run MCP endpoint (for example: https://xxxx.run.app/mcp)
  • Valid ADC (Application Default Credentials) in the runtime environment
  • Cloud Run Invoker role granted to the calling principal

ADC Setup (Local Development)

If you use user credentials locally, you usually need to set up ADC first:

gcloud auth application-default login

Notes:

  • gcloud auth login alone may not configure ADC (this tool uses ADC).
  • If you use a service account, GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json also works.

Usage

uvx mcp-cloudrun-proxy run \
  --url https://xxxx.run.app/mcp \
  --audience https://xxxx.run.app \
  --token-source google-auth \
  --log-level info \
  --refresh-margin 60

If you installed the command locally (for example with pipx, uv tool, or Nix), replace uvx mcp-cloudrun-proxy run with mcp-cloudrun-proxy run.

Options:

  • --url (required): Cloud Run MCP endpoint URL
  • --audience (optional): ID token audience (inferred from --url if omitted)
  • --log-level: info / debug / warn
  • --refresh-margin: Seconds before expiry to refresh proactively (default: 60)
  • --token-source (required): google-auth / gcloud

Notes:

  • If --audience is omitted, the proxy extracts scheme://host[:port] from --url.
  • In many cases, the audience should be the Cloud Run service URL (without /mcp), but it must match your server-side expectations.
  • In --token-source gcloud mode, the audience value is ignored because the gcloud user-credential path does not support audience-scoped ID tokens.
  • Use --token-source google-auth for service account / metadata-based credentials.
  • Use --token-source gcloud for local user ADC when you want token issuance via the gcloud CLI.

Debug Command

Use the debug subcommand to test token issuance and Cloud Run access step by step.

uvx mcp-cloudrun-proxy debug \
  --url https://xxxx.run.app/mcp \
  --token-source gcloud

What it checks:

  • ID token issuance (and prints which token source was used)
  • Authenticated HTTP reachability to the Cloud Run endpoint

Tip:

  • If local development changes are not reflected with uvx, try uvx --refresh ... or uv cache clean.

Claude Desktop / Claude Code Configuration

Register this proxy as a stdio MCP server. Client config schemas vary, so the examples below are generic patterns.

Recommended example using uvx (no local install):

{
  "mcpServers": {
    "cloudrun-proxy": {
      "command": "uvx",
      "args": [
        "mcp-cloudrun-proxy",
        "run",
        "--url",
        "https://xxxx.run.app/mcp",
        "--audience",
        "https://xxxx.run.app",
        "--token-source",
        "gcloud"
      ]
    }
  }
}

Nix

You can use this project via Nix without cloning the repository.

Run directly (no install):

nix run github:logicoffee/mcp-cloudrun-proxy -- \
  run \
  --url https://xxxx.run.app/mcp \
  --audience https://xxxx.run.app \
  --token-source google-auth

Install via Nix:

nix profile install github:logicoffee/mcp-cloudrun-proxy

After installation:

mcp-cloudrun-proxy run --url https://xxxx.run.app/mcp --audience https://xxxx.run.app --token-source google-auth

Troubleshooting

  • 401 / 403 keeps happening:
    • Check the --audience value first
    • If you are using user ADC, try --token-source gcloud and note that audience is ignored in gcloud mode
    • If Cloud Run requires an audience-scoped ID token, use a service account (--token-source google-auth)
    • Confirm the Cloud Run Invoker role is granted
    • Confirm ADC points to the expected account
  • Connection closes immediately:
    • Confirm --url points to the MCP endpoint (/mcp)
    • Confirm Streamable HTTP transport is enabled on the Cloud Run side
  • Logs are not visible:
    • Logs are written to stderr (stdout is reserved for the MCP protocol)

Security Notes

  • ID token contents are not logged
  • Raw Authorization values are not logged or included in exception messages
  • This proxy is intended as a secure relay that relies on Cloud Run IAM

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for logicoffee from gravatar.com logicoffee

Unverified details

These details have not been verified by PyPI
Meta
  • Requires: Python >=3.10
  • Provides-Extra: dev

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcp_cloudrun_proxy-0.1.0.tar.gz (75.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcp_cloudrun_proxy-0.1.0-py3-none-any.whl (12.0 kB view details)

Uploaded Python 3

File details

Details for the file mcp_cloudrun_proxy-0.1.0.tar.gz.

File metadata

  • Download URL: mcp_cloudrun_proxy-0.1.0.tar.gz
  • Upload date:
  • Size: 75.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for mcp_cloudrun_proxy-0.1.0.tar.gz
Algorithm Hash digest
SHA256 50d209a00f4d64dae490a6af9cef20ce84eafa8a85ab1c95a582488be7c21fcd
MD5 eff8eb85146cb42586ce7554f6dc1800
BLAKE2b-256 9f19dece93d799f2ab6cc65f9130b6d7e56173e16a79dfbbeb5b1522079668e5

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcp_cloudrun_proxy-0.1.0.tar.gz:

Publisher: publish-pypi.yml on logicoffee/mcp-cloudrun-proxy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mcp_cloudrun_proxy-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for mcp_cloudrun_proxy-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7b852a58ec16b3def7e25e3b2346d69ebe37dbd9bc508cca6e9b2ebc5bd07935
MD5 43b7a027d53c61b15865e6881befae98
BLAKE2b-256 d15c11e49657aef27bcd19d5b1fe9ef0475b8e1d8412e5bb9fff8870e0f94d7f

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcp_cloudrun_proxy-0.1.0-py3-none-any.whl:

Publisher: publish-pypi.yml on logicoffee/mcp-cloudrun-proxy

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page