Google Cloud Storage
The Google Cloud Storage connector lets AI agents list buckets, read and upload objects, copy files, and manage access controls through the official GCS API using OAuth 2.0. Your Google Cloud credentials are stored encrypted in MCPGate's vault and are never exposed to the AI client.
Required scopes#
MCPGate requests the following OAuth scopes when you connect a Google Cloud Storage account. Both scopes are requested up front so you don't need to re-authorise when enabling additional tools.
| Scope | Purpose |
|---|---|
| devstorage.read_write | Read objects and upload new objects to buckets |
| devstorage.full_control | Manage object ACLs and bucket metadata |
Tool reference#
The GCS connector exposes 9 tools: 5 read, 3 write, and 1 delete. Use the MCP Apps page to enable or disable individual tools per app.
| Tool | Category | Description |
|---|---|---|
| gcs_list_buckets | read | List all GCS buckets in the project |
| gcs_list_objects | read | List objects in a GCS bucket with optional prefix filter |
| gcs_get_object | read | Get metadata for a GCS object (size, content type, ETag, updated) |
| gcs_read_object | read | Read the text content of a GCS object (UTF-8 text only, max 1 MB) |
| gcs_get_bucket_metadata | read | Get metadata and configuration for a GCS bucket |
| gcs_upload_object | write | Upload an object to a GCS bucket |
| gcs_copy_object | write | Copy an object within or between GCS buckets |
| gcs_set_object_acl | write | Set the access control list (ACL) for a GCS object |
| gcs_delete_object | delete | Delete an object from a GCS bucket |
ACL changes are immediate
gcs_set_object_aclchanges the object's access control list immediately. Setting an ACL to allUsers makes the object publicly readable on the internet. Always deny this tool in apps that do not need to manage public access.Common guardrail recipes#
Read-only access#
Enable only the five read tools and deny gcs_upload_object, gcs_copy_object, gcs_set_object_acl, and gcs_delete_object. This is the safest configuration for agents that only need to inspect bucket contents.
Contribute preset#
Use the built-in contribute preset to allow reads plus gcs_upload_object and gcs_copy_object, while denying ACL management and deletion. Agents can add content but cannot expose it publicly or remove existing objects.
Restrict to specific buckets#
Apply the allow_values guardrail template to write tools, targeting the bucket field. Provide a list of bucket names the agent is permitted to write to. Any attempt to write to another bucket is denied before the API call.
Troubleshooting#
- 403 on bucket operations — The connected account may lack IAM permissions on the project or bucket. Ensure the Google account has at least the Storage Object Admin IAM role on the relevant buckets.
- Object not found — GCS object names are case-sensitive and must include the full path including any prefix (e.g.
logs/2025/01/app.log). - Token expired — MCPGate automatically refreshes Google OAuth tokens. If refresh fails, disconnect and reconnect the GCS connector to obtain a fresh token.