Secure Deployment

Purpose

Within the broader scope of automating deployments for the MCP server to Google Cloud Run, the Secure Deployment subtopic addresses the need for controlled, authenticated access to the deployed service. Unlike public or unauthenticated deployment modes, this subtopic ensures that only clients presenting valid identity tokens can access the MCP server endpoints. This is critical for protecting sensitive data, enforcing access control policies, and complying with security best practices in production environments.

By requiring identity tokens, Secure Deployment mitigates unauthorized usage and integrates with Google Cloud’s authentication mechanisms, safeguarding the backend services from unrestricted public exposure.

Functionality

The core functionality of Secure Deployment revolves around enabling authentication enforcement on the deployed Cloud Run service. The key workflows and mechanisms unique to this deployment mode include:

• Identity Token Generation: Before deployment, an identity token is generated using Google Cloud CLI’s gcloud auth print-identity-token. This token represents an authenticated user or service account and is used to prove identity during service invocation.

• Authenticated Cloud Run Deployment: The deployment command disables unauthenticated access by setting the --no-allow-unauthenticated flag. This ensures Cloud Run requires all incoming requests to present valid authentication credentials.

• Access Control Enforcement: Once deployed, Cloud Run validates the identity token sent by clients (typically in the Authorization: Bearer <token> HTTP header). Requests without valid tokens are rejected before reaching the MCP server.

• Token-Based Client Requests: Clients consuming the MCP server API must obtain and attach identity tokens corresponding to authorized identities, integrating with Google Cloud IAM for permission management.

The deployment script cloudrun-secure.sh encapsulates these steps:

echo "Deploying Cloud Run End Point in Secure Mode"

export ID_TOKEN=$(gcloud auth print-identity-token)

gcloud run deploy zoo-mcp-server \
    --no-allow-unauthenticated \
    --region=europe-west1 \
    --source=. \
    --labels=dev-tutorial=codelab-gde-medium-secure

This script does not merely deploy the containerized MCP server but configures Cloud Run to enforce authentication, requiring valid tokens for every request.

Integration

Secure Deployment complements and extends the parent topic Cloud Run Deployment Automation by introducing authentication as a deployment configuration. It contrasts with the Unauthenticated Deployment subtopic, which allows public, token-free access, providing flexibility depending on security requirements.

It also depends on the Environment Initialization subtopic, which prepares the Google Cloud project with the necessary IAM roles and API enablements to support authentication workflows. The identity tokens used in Secure Deployment derive from these configured service accounts and permissions.

By enforcing authentication at the Cloud Run platform level, Secure Deployment ensures that the Zoo Animal MCP Server (from the Zoo Animal Query API) only processes requests from verified clients, maintaining the integrity and confidentiality of the zoo animal data.

Diagram

sequenceDiagram
participant Dev as Developer
participant GCloudCLI as gcloud CLI
participant CloudRun as Cloud Run Service
participant Client as API Client
participant MCPServer as Zoo Animal MCP Server
Dev->>GCloudCLI: Run cloudrun-secure.sh
GCloudCLI->>GCloudCLI: Generate ID Token
GCloudCLI->>CloudRun: Deploy with --no-allow-unauthenticated
Client->>CloudRun: Request with Identity Token
CloudRun->>CloudRun: Validate Token
alt Token Valid
CloudRun->>MCPServer: Forward Request
MCPServer->>CloudRun: Send Response
CloudRun->>Client: Return Response
else Token Invalid or Missing
CloudRun->>Client: Deny Access (401 Unauthorized)
end