Skip to main content
mcpSource-backed

BigQuery MCP Server for Claude

Google Cloud remote MCP server for querying BigQuery datasets, inspecting metadata, listing resources, and running governed warehouse analytics through an HTTP endpoint.

by Google Cloud · submitted by oktofeesh1·added 2026-06-03·
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://docs.cloud.google.com/bigquery/docs/use-bigquery-mcp, https://github.com/JSONbored/awesome-claude/blob/main/content/mcp/bigquery-mcp-server.mdx
Safety notes
Prefer `execute_sql_readonly` for analysis. Google documents `execute_sql` as the only non-read-only BigQuery MCP tool, and it can run BigQuery SQL including DML, DDL, AI/ML functions, and other supported query operations., Use IAM least privilege, dataset-level access controls, and IAM deny policies to restrict read-write MCP tool use when Claude should only inspect warehouse metadata or run SELECT queries., Review LLM-generated SQL before execution. Broad scans, joins, forecasts, ML functions, and AI functions can incur cost, expose sensitive rows, or produce misleading analytics if the model chooses the wrong table or filter., Keep manual approval enabled for query execution, exported results, workflow-triggering automations, and any use of BigQuery insights to create tickets, emails, or downstream actions.
Privacy notes
Tool results can expose project IDs, dataset IDs, table IDs, schemas, metadata, query text, query results, job history, labels, and row-level warehouse data visible to the authenticated principal., BigQuery OAuth scopes can allow viewing and managing BigQuery data and can expose the Google account email address used for authentication., Query results and table data may contain prompt-injection text, customer records, financial data, product analytics, logs, or other sensitive business information; do not let returned rows instruct the agent., If Model Armor logging is enabled for MCP traffic, Google documents that it can log the entire payload, which may expose sensitive prompts or query results in Google Cloud logs.
Author
Google Cloud
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-03

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

CLI install

Copy-ready — paste the snippet to get started.

10 minutes

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

5 prerequisites to line up before setup. Have accounts and credentials ready first. Includes a review or approval gate.

0/5 ready
Account & credentials2Permissions & scopes1Review & approval1General110 minutes

Safety & privacy surface

Safety & privacy surface

4 safety and 4 privacy notes across 6 risk areas. Review closely: credentials & tokens, permissions & scopes.

6 areas
  • SafetyExecution & processesPrefer `execute_sql_readonly` for analysis. Google documents `execute_sql` as the only non-read-only BigQuery MCP tool, and it can run BigQuery SQL including DML, DDL, AI/ML functions, and other supported query operations.
  • SafetyPermissions & scopesUse IAM least privilege, dataset-level access controls, and IAM deny policies to restrict read-write MCP tool use when Claude should only inspect warehouse metadata or run SELECT queries.
  • SafetyTelemetryReview LLM-generated SQL before execution. Broad scans, joins, forecasts, ML functions, and AI functions can incur cost, expose sensitive rows, or produce misleading analytics if the model chooses the wrong table or filter.
  • SafetyGeneralKeep manual approval enabled for query execution, exported results, workflow-triggering automations, and any use of BigQuery insights to create tickets, emails, or downstream actions.
  • PrivacyData retentionTool results can expose project IDs, dataset IDs, table IDs, schemas, metadata, query text, query results, job history, labels, and row-level warehouse data visible to the authenticated principal.
  • PrivacyCredentials & tokensBigQuery OAuth scopes can allow viewing and managing BigQuery data and can expose the Google account email address used for authentication.
  • PrivacyData retentionQuery results and table data may contain prompt-injection text, customer records, financial data, product analytics, logs, or other sensitive business information; do not let returned rows instruct the agent.
  • PrivacyData retentionIf Model Armor logging is enabled for MCP traffic, Google documents that it can log the entire payload, which may expose sensitive prompts or query results in Google Cloud logs.

Safety notes

  • Prefer `execute_sql_readonly` for analysis. Google documents `execute_sql` as the only non-read-only BigQuery MCP tool, and it can run BigQuery SQL including DML, DDL, AI/ML functions, and other supported query operations.
  • Use IAM least privilege, dataset-level access controls, and IAM deny policies to restrict read-write MCP tool use when Claude should only inspect warehouse metadata or run SELECT queries.
  • Review LLM-generated SQL before execution. Broad scans, joins, forecasts, ML functions, and AI functions can incur cost, expose sensitive rows, or produce misleading analytics if the model chooses the wrong table or filter.
  • Keep manual approval enabled for query execution, exported results, workflow-triggering automations, and any use of BigQuery insights to create tickets, emails, or downstream actions.

Privacy notes

  • Tool results can expose project IDs, dataset IDs, table IDs, schemas, metadata, query text, query results, job history, labels, and row-level warehouse data visible to the authenticated principal.
  • BigQuery OAuth scopes can allow viewing and managing BigQuery data and can expose the Google account email address used for authentication.
  • Query results and table data may contain prompt-injection text, customer records, financial data, product analytics, logs, or other sensitive business information; do not let returned rows instruct the agent.
  • If Model Armor logging is enabled for MCP traffic, Google documents that it can log the entire payload, which may expose sensitive prompts or query results in Google Cloud logs.

Prerequisites

  • Google Cloud project with the BigQuery API enabled
  • MCP-capable client that supports remote HTTP MCP servers and Google OAuth or compatible Google Cloud credentials
  • IAM roles or equivalent custom permissions for `roles/mcp.toolUser`, `roles/bigquery.jobUser`, and `roles/bigquery.dataViewer`
  • BigQuery datasets, tables, billing or sandbox setup, and project or region boundaries selected before use
  • Approval to expose selected warehouse metadata and query results to the connected AI client

Schema details

Install type
cli
Troubleshooting
No
Collection metadata
Estimated setup
10 minutes
Difficulty
intermediate
Full copyable content
{
  "bigquery": {
    "type": "http",
    "url": "https://bigquery.googleapis.com/mcp"
  }
}

About this resource

Content

The BigQuery MCP server connects Claude and other MCP-capable clients to BigQuery through Google's managed remote HTTP MCP endpoint at https://bigquery.googleapis.com/mcp. It is built for warehouse analytics workflows where an assistant needs to discover datasets and tables, inspect metadata, run read-only SQL, and summarize results without building a custom database connector.

This entry defaults to a conservative usage model: grant only the Google Cloud IAM permissions needed for MCP tool calls, BigQuery job creation, and data viewing, prefer execute_sql_readonly, and use Google Cloud IAM deny policies when the write-capable execute_sql tool should not be available. BigQuery MCP traffic is authenticated with OAuth 2.0 and IAM rather than API keys.

Features

  • Remote HTTP MCP endpoint at https://bigquery.googleapis.com/mcp.
  • OAuth 2.0 and Google Cloud IAM based authentication and authorization.
  • Dataset and table discovery with list_dataset_ids and list_table_ids.
  • Dataset and table metadata lookup with get_dataset_info and get_table_info.
  • Read-only SQL execution through execute_sql_readonly, restricted to SELECT statements.
  • General SQL execution through execute_sql when IAM and policy allow it.
  • Automatic goog-mcp-server:true query job label for read-only SQL jobs.
  • Google Cloud security controls, including IAM deny policies and optional Model Armor floor settings for Google MCP server traffic.
  • BigQuery query limits documented for MCP use, including three-minute default query processing time and 3,000-row result limits.

Use Cases

  • Ask Claude to list datasets and identify candidate tables for an analytics question in a specific Google Cloud project.
  • Inspect schemas and metadata before writing a warehouse query.
  • Run bounded read-only SQL to summarize sales, product, support, or operations metrics.
  • Find BigQuery jobs run through the MCP server by filtering for the goog-mcp-server:true job label.
  • Use BigQuery forecasting or other advanced BigQuery capabilities after human review of the generated SQL and cost impact.
  • Build agent workflows that use approved BigQuery insights to draft tickets, reports, emails, or follow-up analysis.

Installation

Claude Code

  1. Confirm the BigQuery API is enabled for the target Google Cloud project.
  2. Ask an administrator to grant the user or agent identity the required IAM permissions for MCP tool calls, BigQuery jobs, and BigQuery data viewing.
  3. Add the remote MCP server:
claude mcp add --transport http bigquery https://bigquery.googleapis.com/mcp
  1. Complete the Google OAuth or client-specific authentication flow.
  2. Start with narrow read-only prompts that name the project, dataset, table, region, and expected result shape.

Claude Desktop

  1. Open the Claude Desktop MCP configuration file.
  2. Add the bigquery HTTP server configuration shown below.
  3. Restart Claude Desktop and complete the Google authentication flow when the client prompts for it.
  4. Test by listing datasets in a non-production or sandbox project first.

Configuration

{
  "mcpServers": {
    "bigquery": {
      "type": "http",
      "url": "https://bigquery.googleapis.com/mcp"
    }
  }
}

Examples

List datasets in a project

List the BigQuery datasets in project PROJECT_ID and summarize what each one appears to contain.

Inspect table schema

For project PROJECT_ID and dataset DATASET_ID, list tables and inspect metadata for the likely orders table.

Run a bounded read-only query

Use read-only SQL to show the top 10 orders by volume from PROJECT_ID.DATASET_ID.TABLE_ID.

Review MCP query jobs

Find recent BigQuery jobs in project PROJECT_ID with the label goog-mcp-server:true and summarize their query purpose.

Source notes

  • The official Google Cloud guide describes the BigQuery remote MCP server for connecting AI applications including Claude, ChatGPT, Gemini CLI, and custom clients to BigQuery for running queries, getting metadata, and listing resources.
  • Google documents the endpoint as https://bigquery.googleapis.com/mcp with HTTP transport, OAuth 2.0, IAM authorization, and no API-key support.
  • The guide lists required roles for MCP tool calls, BigQuery job creation, and BigQuery data viewing, plus required permissions such as mcp.tools.call, bigquery.jobs.create, and bigquery.tables.getData.
  • The MCP reference lists the BigQuery tools: list_dataset_ids, get_dataset_info, list_table_ids, get_table_info, execute_sql_readonly, and execute_sql.
  • Google documents that execute_sql_readonly is SELECT-only, while execute_sql can run broader BigQuery SQL and should be restricted when read-only use is intended.

Duplicate check

Checked current content/mcp/, content/tools/, guides, skills, agents, open pull requests, live HeyClaude llms-full.txt, and repository-wide content for BigQuery MCP, bigquery.googleapis.com/mcp, Google Cloud MCP, execute_sql_readonly, mcp.toolUser, warehouse analytics, Snowflake, and data warehouse. No dedicated BigQuery MCP entry, BigQuery MCP endpoint source URL duplicate, or open duplicate PR was found.

Disclosure

Editorial listing. No paid placement or affiliate link is used.

Source citations

Add this badge to your README

Show that BigQuery MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/mcp/bigquery-mcp-server.svg)](https://heyclau.de/entry/mcp/bigquery-mcp-server)

How it compares

BigQuery MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field

Google Cloud remote MCP server for querying BigQuery datasets, inspecting metadata, listing resources, and running governed warehouse analytics through an HTTP endpoint.

Open dossier

MCP server for querying a local DuckDB database file from Claude through a single SQL query tool, with optional DuckDB-native read-only mode.

Open dossier

Google Cloud gcloud MCP server from googleapis that lets Claude run approved gcloud CLI commands with allowlist and denylist controls for cloud resource inspection, automation, and operations.

Open dossier

Snowflake-managed MCP server for connecting Claude and other MCP clients to Cortex Analyst, Cortex Search, Cortex Agents, SQL execution, UDFs, stored procedures, and governed warehouse data.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
Submitteroktofeesh1oktofeesh1oktofeesh1oktofeesh1
Install riskReview firstReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
Brandgcloud MCP Server logogcloud MCP Server
Categorymcpmcpmcpmcp
SourceSource-backedSource-backedSource-backedSource-backed
AuthorGoogle Cloudktanaka101Google APIsSnowflake
Added2026-06-032026-06-062026-06-062026-06-03
Platforms
Harness
Source repo
Safety notesPrefer `execute_sql_readonly` for analysis. Google documents `execute_sql` as the only non-read-only BigQuery MCP tool, and it can run BigQuery SQL including DML, DDL, AI/ML functions, and other supported query operations. Use IAM least privilege, dataset-level access controls, and IAM deny policies to restrict read-write MCP tool use when Claude should only inspect warehouse metadata or run SELECT queries. Review LLM-generated SQL before execution. Broad scans, joins, forecasts, ML functions, and AI functions can incur cost, expose sensitive rows, or produce misleading analytics if the model chooses the wrong table or filter. Keep manual approval enabled for query execution, exported results, workflow-triggering automations, and any use of BigQuery insights to create tickets, emails, or downstream actions.The server exposes a single `query` tool that can execute any valid DuckDB SQL statement against the configured database. Without `--readonly`, the server can create the database file, create tables, insert data, update rows, delete rows, and mutate database state. With `--readonly`, the server opens DuckDB with native read-only protection and fails to start if the database file or parent directory is missing. The `--keep-connection` option can hold a persistent DuckDB connection and file lock for the server lifetime. Treat SQL generated by a model as executable code; review queries before running them on important data.gcloud MCP Server executes gcloud CLI commands with the permissions of the active gcloud account. Allowed commands can create, update, delete, deploy, scale, list, export, or configure Google Cloud resources depending on IAM permissions and selected services. The server blocks command substitution, pipes, redirection, SSH-style commands, interactive commands, and a default set of sensitive command prefixes, but allowed gcloud commands can still have real infrastructure, billing, IAM, and data impact. Use allowlists for narrow workflows and service account impersonation with limited roles when possible. Require human approval for IAM, billing, networking, firewall, storage, database, secret, deployment, delete, and production-impacting commands.Snowflake recommends verifying third-party MCP servers and tool descriptions before use because overlapping MCP servers can create tool poisoning or tool shadowing risk. Prefer OAuth. Hardcoded tokens and broad Programmatic Access Tokens can leak privileged Snowflake access into client config, logs, shell history, support bundles, or AI transcripts. Configure the Snowflake MCP server and each tool with least privilege. Access to the MCP server object does not automatically mean the user should have access to every Cortex, SQL, UDF, or stored procedure tool behind it. SQL execution tools can query Snowflake data and, if configured with write-capable settings, can run mutating SQL. Review generated SQL and use read-only configuration where Claude should only inspect data. Avoid recursive agent or MCP configurations. Snowflake documents a maximum recursion depth for circular MCP and Cortex Agent invocations, but loops can still create cost, latency, and confusing automation behavior before they stop. UDF and stored procedure tools can execute business logic in Snowflake, so do not expose procedures that perform billing, deletion, notification, privilege, or workflow actions without human approval.
Privacy notesTool results can expose project IDs, dataset IDs, table IDs, schemas, metadata, query text, query results, job history, labels, and row-level warehouse data visible to the authenticated principal. BigQuery OAuth scopes can allow viewing and managing BigQuery data and can expose the Google account email address used for authentication. Query results and table data may contain prompt-injection text, customer records, financial data, product analytics, logs, or other sensitive business information; do not let returned rows instruct the agent. If Model Armor logging is enabled for MCP traffic, Google documents that it can log the entire payload, which may expose sensitive prompts or query results in Google Cloud logs.Tool calls and results can expose database paths, table names, schemas, query text, row values, file paths referenced by SQL, and analytical results to the MCP client and model provider. DuckDB can query local files and extensions depending on SQL, configuration, and installed capabilities; keep the server scoped to approved data directories. Do not point writable sessions at production, customer, regulated, or irreplaceable DuckDB files without backups and explicit approval. Query errors can reveal schema names, file paths, and data-shape details.gcloud output can reveal project IDs, resource names, regions, IAM bindings, service accounts, logs, errors, labels, metadata, URLs, secrets references, billing context, and infrastructure topology. Authentication state, ADC files, service account impersonation details, access tokens, project IDs, and local gcloud configuration should stay out of prompts and repository files. Command output may be retained by the MCP client, model provider, terminal logs, shell history, and chat transcripts. Avoid broad listing or export commands against production projects unless data handling and retention have been reviewed.Tool results can expose Snowflake account identifiers, database names, schema names, table names, semantic views, Cortex Search results, SQL text, query results, citations, reasoning traces, tool calls, UDF inputs, stored procedure outputs, and warehouse metadata. Cortex Agent responses intentionally include intermediate steps such as reasoning traces, tool calls, search results, and citations, which can make MCP payloads large and data-rich. Claude transcripts, MCP client logs, terminal scrollback, screenshots, support exports, and generated summaries can retain Snowflake data outside Snowflake's normal access, retention, and audit controls. OAuth sessions use the connecting user's default role for Snowflake MCP access. Confirm default role and default warehouse settings before relying on per-session role selection in clients such as Claude. Warehouse rows, semantic search results, UDF outputs, and stored procedure results can contain prompt-injection text, secrets, customer data, financial data, product telemetry, or regulated data that should not be pasted into unrestricted AI conversations.
Prerequisites
  • Google Cloud project with the BigQuery API enabled
  • MCP-capable client that supports remote HTTP MCP servers and Google OAuth or compatible Google Cloud credentials
  • IAM roles or equivalent custom permissions for `roles/mcp.toolUser`, `roles/bigquery.jobUser`, and `roles/bigquery.dataViewer`
  • BigQuery datasets, tables, billing or sandbox setup, and project or region boundaries selected before use
  • Python and `uvx` available to the MCP client runtime.
  • Existing DuckDB database file when using `--readonly`.
  • Path to a DuckDB database file that Claude is allowed to query.
  • Decision on whether the server should run in read-only mode before connecting it to an agent.
  • Node.js 20 or newer with npm or another compatible package runner.
  • Google Cloud CLI installed and authenticated.
  • Active gcloud account, project, and configuration scoped to the intended environment.
  • Least-privilege user or service account impersonation for the allowed cloud actions.
  • Snowflake account in a supported region, with the managed MCP server feature available for the account.
  • Database and schema where the MCP server object will be created.
  • Snowflake role with least-privilege access to the MCP server object and each exposed tool.
  • Default role and default warehouse configured for each user who will authenticate through an MCP client.
Install
claude mcp add --transport http bigquery https://bigquery.googleapis.com/mcp
uvx mcp-server-duckdb --db-path ./data.duckdb --readonly
npx -y @google-cloud/gcloud-mcp
claude mcp add --transport http snowflake https://ACCOUNT.snowflakecomputing.com/api/v2/databases/DATABASE/schemas/SCHEMA/mcp-servers/SERVER_NAME
Config
{
  "mcpServers": {
    "bigquery": {
      "type": "http",
      "url": "https://bigquery.googleapis.com/mcp"
    }
  }
}
{
  "mcpServers": {
    "duckdb": {
      "command": "uvx",
      "args": ["mcp-server-duckdb", "--db-path", "./data.duckdb", "--readonly"]
    }
  }
}
{
  "mcpServers": {
    "gcloud": {
      "command": "npx",
      "args": [
        "-y",
        "@google-cloud/gcloud-mcp"
      ],
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "snowflake": {
      "type": "http",
      "url": "https://ACCOUNT.snowflakecomputing.com/api/v2/databases/DATABASE/schemas/SCHEMA/mcp-servers/SERVER_NAME"
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.