gcs-google-mcp-server 0.1.12 → 0.1.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +32 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -127,7 +127,38 @@ When set:
|
|
|
127
127
|
- The `bucket` parameter is automatically injected and hidden from tool inputs
|
|
128
128
|
- For `copy_object`, both source and destination are constrained to the specified bucket
|
|
129
129
|
|
|
130
|
-
This
|
|
130
|
+
This lets you grant a least-privilege service account that has only **object-level** access to one bucket, without project-level bucket-listing permission. The startup healthcheck honors this: when `GCS_BUCKET` is set it validates credentials with an object-scoped probe (`storage.objects.list` on that bucket) and never calls the project-level bucket list or a bucket-metadata probe. See [Required IAM permissions](#required-iam-permissions) for the exact permissions per mode.
|
|
131
|
+
|
|
132
|
+
## Required IAM permissions
|
|
133
|
+
|
|
134
|
+
The minimal IAM permissions depend on whether the server is constrained to a single bucket (`GCS_BUCKET`) and which tool groups you enable. The startup healthcheck validates credentials within these bounds — it does **not** require any permission beyond what the table below lists for your mode.
|
|
135
|
+
|
|
136
|
+
### Startup healthcheck
|
|
137
|
+
|
|
138
|
+
| Mode | Permission the healthcheck needs | Notes |
|
|
139
|
+
| ------------------------------------ | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
140
|
+
| **Single bucket** (`GCS_BUCKET` set) | `storage.objects.list` on the constrained bucket | Probes `list_objects` with `maxResults: 1`. Does **not** require project-level `storage.buckets.list` or bucket-metadata `storage.buckets.get`, so a correctly least-privilege, object-only service account can start. |
|
|
141
|
+
| **Unconstrained** (no `GCS_BUCKET`) | project-level `storage.buckets.list` | Validates by listing buckets in the project. |
|
|
142
|
+
|
|
143
|
+
Set `SKIP_HEALTH_CHECKS=true` to bypass startup validation entirely (disables **all** credential checks — not recommended).
|
|
144
|
+
|
|
145
|
+
### Per-tool permissions
|
|
146
|
+
|
|
147
|
+
Beyond the healthcheck, each tool needs the corresponding GCS permission at runtime. Grant only what the tool groups you enable require:
|
|
148
|
+
|
|
149
|
+
| Tool / group | Permission |
|
|
150
|
+
| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
|
151
|
+
| `list_objects` (readonly) | `storage.objects.list` |
|
|
152
|
+
| `get_object`, `download_object` (readonly) | `storage.objects.get` |
|
|
153
|
+
| `download_prefix` (readonly) | `storage.objects.list`, `storage.objects.get` |
|
|
154
|
+
| `list_buckets` (readonly) | `storage.buckets.list` |
|
|
155
|
+
| `head_bucket` (readonly) | `storage.buckets.get` |
|
|
156
|
+
| `put_object`, `put_object_from_path`, `upload_prefix`, `copy_object` (readwrite) | `storage.objects.create`, `storage.objects.get` (these tools read each object's metadata back after writing to return its `etag`/`generation`; `copy_object` additionally reads the copy source) |
|
|
157
|
+
| `create_bucket` (readwrite) | `storage.buckets.create` |
|
|
158
|
+
| `delete_object` (delete) | `storage.objects.delete` |
|
|
159
|
+
| `delete_bucket` (delete) | `storage.buckets.delete` |
|
|
160
|
+
|
|
161
|
+
For a read-only, single-bucket service account, the `roles/storage.objectViewer` role on the bucket (or a custom role with `storage.objects.list` + `storage.objects.get`) is sufficient — no project-level or bucket-metadata permissions are needed.
|
|
131
162
|
|
|
132
163
|
## Quick Start
|
|
133
164
|
|
package/package.json
CHANGED