BigQuery MCP Server
@ergut
A Model Context Protocol (MCP) server that provides secure, read-only access to BigQuery datasets. Enables Large Language Models (LLMs) to safely query and analyze data through a standardized interface.
Overview
What is BigQuery MCP Server?
BigQuery MCP Server lets LLMs like Claude talk directly to your BigQuery data — read-only, with no ability to mutate your warehouse. It uses the Model Context Protocol (MCP) to translate natural language into safe SQL queries, making it ideal for AI‑assisted data exploration.
How to use BigQuery MCP Server?
Set up authentication (gcloud auth application-default-login or a service account key file), then add the server to your MCP client’s config (e.g., claude_desktop_config.json or .mcp.json). Run via npx @ergut/mcp-bigquery-server with flags such as --project-id, --location, --key-file, and --config-file. Once configured, open your client and chat with your data in plain English.
Key features of BigQuery MCP Server
- Read-only by design — only
SELECTstatements are allowed. - Run SQL queries by asking questions in plain English.
- Access both tables and materialized views with schema exploration.
- Configurable safe limits via
config.jsonor command line. - Protect sensitive data with field‑level restrictions.
- Auto‑discover sensitive columns across all datasets.
Use cases of BigQuery MCP Server
- Ask “What were our top 10 customers last month?” and get an answer in plain English.
- Explore dataset schemas without writing any SQL.
- Query BigQuery from AI assistants while preventing exposure of PII/PHI.
- Automatically scan for and restrict sensitive fields across the entire warehouse.
FAQ from BigQuery MCP Server
What are the prerequisites to run the server?
You need Node.js 14+, a Google Cloud project with BigQuery enabled, and an MCP‑compatible client (e.g., Claude Desktop or Claude Code).
How do I authenticate with Google Cloud?
Use gcloud auth application-default-login for development or provide a service account key file via the --key-file argument for production.
Does the server modify my BigQuery data?
No. The server is read‑only — only SELECT statements are allowed. Every query is validated by BigQuery’s dry‑run planner, so mutations are rejected.
How can I protect sensitive data from the AI agent?
Define preventedFields in config.json to block specific columns, and enable auto‑scanning to automatically discover and restrict sensitive fields across all datasets.
What are the main limitations?
Processing limits are configurable per query. Some complex view types may not be supported. A config file is optional; without one the server uses safe defaults.