xbill for Google Developer Experts

Posted on Feb 16 • Originally published at xbill999.Medium on Feb 15

Secure MCP Development with Go, Cloud Run, and Cloud Run Proxy

#googlecloudrun #goprogramminglanguag #gemini #mcpserver

Enabling Cloud Run Proxy support to secure remote access to MCP services.

What is this Tutorial Trying to Do?

The goal of the tutorial is to use Gemini CLI as a MCP client for secure access to remote MCP enabled services via the setup and configuration of the Cloud Run Proxy.

What is the Cloud Run Proxy?

The Cloud Run Proxy acts like a secure tunnel over the Internet and allows Cloud Run Services to be deployed with Authentication which limits the risk of unauthorized access.

The Cloud Run proxy provides a secure tunnel from your local environment to a Cloud Run Hosted Service:

gcloud run services proxy | Google Cloud SDK Documentation

Initial Environment Setup

The environment is meant to be run from a Bash like shell. You can run this from a Linux VM, ChromeOS Linux VM, Firebase Studio environment, or any environment that provides a basic shell.

What Is Go?

Go, also known as Golang, is a programming language created at Google. It’s known for being simple, efficient, and reliable. It’s particularly well-suited for building network services and concurrent applications.

Google Open Source Projects

Installing Go

If Go has not been installed in your environment — there are tools for managing Go installations. The Go Version Manager is available here:

GitHub - moovweb/gvm: Go Version Manager

There are several steps to install gvm :

sudo apt-get install bison
sudo apt-get install curl git mercurial make binutils bison gcc build-essential

bash < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/master/binscripts/gvm-installer)

Then use the gvm tool to install the latest version of Go:

xbill@penguin:~$ gvm install go1.26.0 -B
Installing go1.26.0 from binary source

gvm use --default go1.26.0

You can validate the installation of Go with the version command:

xbill@penguin:~$ go version
go version go1.26.0 linux/amd64

Gemini CLI

If not pre-installed you can install the Gemini CLI to interact with the source files and provide real-time assistance:

sudo npm install -g @google/gemini-cli

Note- if you are an a non standard environment — you will need to make sure to have at least Node version 20 available in order to run Gemini CLI.

Testing the CLI Environment from the VM

Once you have all the tools and the correct Node.js version in place- you can test the startup of Gemini CLI. You will need to authenticate with a Key or your Google Account:

gemini

Where do I start?

The strategy for starting MCP development is a incremental step by step approach.

First, the basic development environment is setup with the required system variables, and a working Gemini CLI configuration.

Then, a system info Go MCP Server is built with HTTP transport. This server is validated with Gemini CLI in the local environment.

This setup validates the connection from Gemini CLI to the local process via MCP. The MCP client (Gemini CLI) and the Go MCP server both run in the same local environment.

This entire solution is then deployed to Google Cloud Run in secure mode.

Gemini- CLI is used with Google Cloud Run proxy to verify the secure connection.

Setup the Basic Environment

At this point you should have a working Go environment and a working Gemini CLI installation. The next step is to clone the GitHub samples repository with support scripts:

cd ~
git clone https://github.com/xbill9/iap-https-rust

Then run init.sh from the cloned directory.

The script will attempt to determine your shell environment and set the correct variables:

cd iap-https-rust
source init.sh

If your session times out or you need to re-authenticate- you can run the set_env.sh script to reset your environment variables:

cd iap-https-rust
source set_env.sh

Variables like PROJECT_ID need to be setup for use in the various build scripts- so the set_env script can be used to reset the environment if you time-out.

Info Tool with HTTP Transport

One of the key features that the standard MCP libraries provide is abstracting various transport methods.

The high level MCP tool implementation is the same no matter what low level transport channel/method that the MCP Client uses to connect to a MCP Server.

The simplest transport that the SDK supports is the stdio (stdio/stdout) transport — which connects a locally running process. Both the MCP client and MCP Server must be running in the same environment.

The HTTP transport allows the MCP client and server to run on the sameo system or be distributed over the Internet.

The MCP connection over the HTTP transport will look similar to this:

mcpHandler := mcp.NewStreamableHTTPHandler(func(r *http.Request) *mcp.Server {
                        initServer()
                        return server
}, nil)

Building the Go Code

First- switch the directory with the Go version of the MCP sample code:

cd ~/iap-https-rust/proxy-go

Run the release version on the local system:

xbill@penguin:~/iap-https-rust/proxy-go$ make release

You can validate the final result by checking the messages:

xbill@penguin:~/iap-https-rust/proxy-go$ make release
{"time":"2026-02-14T18:10:07.027095411-05:00","level":"INFO","msg":"APP_STARTING"}
{"time":"2026-02-14T18:10:07.027185691-05:00","level":"INFO","msg":"Entering Server Mode","port":"8080"}
{"time":"2026-02-14T18:10:07.02723858-05:00","level":"INFO","msg":"Starting ListenAndServe","address":"0.0.0.0:8080"}

The project can also be linted:

xbill@penguin:~/iap-https-rust/proxy-go$ make lint
go vet

And a test run:

xbill@penguin:~/iap-https-rust/proxy-go$ make test
Running tests...
ok proxy-go (cached)

Running the Tool Locally

Once the release version has been built- the resulting binary can be executed directly in the local environment.

The quick summary of local system info can be run right from the Makefile:

xbill@penguin:~/iap-https-rust/proxy-go$ make info
{"time":"2026-02-14T18:14:01.94274491-05:00","level":"INFO","msg":"APP_STARTING"}
System Information Report
=========================

System Information
------------------
System Name: linux
OS Name: linux
Host Name: penguin

CPU Information
---------------
Number of Cores: 16

Memory Information
------------------
Total Memory: 6364 MB
Used Memory: 298 MB
Total Swap: 0 MB
Used Swap: 0 MB

Network Interfaces
------------------
lo : RX: 10987 bytes, TX: 10987 bytes (MAC: unknown)
docker0 : RX: 0 bytes, TX: 0 bytes (MAC: 1e:3e:e5:38:9b:e9)
br-e70a18428e21 : RX: 168 bytes, TX: 636 bytes (MAC: ae:86:e6:ef:c5:c4)
veth9755cd5 : RX: 126 bytes, TX: 1798 bytes (MAC: 72:4c:de:dc:bc:1b)
eth0 : RX: 12545293 bytes, TX: 42951178 bytes (MAC: 00:16:3e:07:39:7b)
vethd538e3d : RX: 126 bytes, TX: 1756 bytes (MAC: 4a:90:70:f8:5e:80)

System Information with MCP HTTP Transport

One of the key features that the MCP protocol provides is abstracting various transport methods.

The high level tool MCP implementation is the same no matter what low level transport channel/method that the MCP Client uses to connect to a MCP Server.

The HTTP transport allows the MCP client and server to run in the same environment or be distributed over the Internet.

First- switch the directory with the HTTP sample code:

xbill@penguin:~/iap-https-rust/proxy-go$ make run
Running the MCP Streaming HTTP server...
{"time":"2026-02-14T18:15:05.630141482-05:00","level":"INFO","msg":"APP_STARTING"}
{"time":"2026-02-14T18:15:05.63037485-05:00","level":"INFO","msg":"Entering Server Mode","port":"8080"}
{"time":"2026-02-14T18:15:05.630489867-05:00","level":"INFO","msg":"Starting ListenAndServe","address":"0.0.0.0:8080"}

This step validates that the tool can be started locally in streaming HTTP transport mode.

Deploying to Cloud Run

After the HTTP version of the MCP server has been tested locally — it can be deployed remotely to Google Cloud Run.

First- switch to the directory with the HTTP MCP sample code:

xbill@penguin:~/iap-https-rust/proxy-go$ make deploy

Deploy the project to Google Cloud Run with the pre-built cloudbuild.yaml and Dockerfile:

Submitting build to Google Cloud Build...
make[1]: Entering directory '/home/xbill/iap-https-rust/proxy-go'
Cleaning the project...
make[1]: Leaving directory '/home/xbill/iap-https-rust/proxy-go'
Creating temporary archive of 10 file(s) totalling 18.6 KiB before compression.
Some files were not included in the source upload.

Check the gcloud log [/home/xbill/.config/gcloud/logs/2026.02.14/18.16.26.546371.log] to see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).

The Cloud Build will start:

BUILD
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/docker
Step #0: Sending build context to Docker daemon 28.16kB
Step #0: Step 1/7 : FROM golang:1.26-bookworm
Step #0: 1.26-bookworm: Pulling from library/golang

It can take 15–30 minutes to complete the build.

The cloud build needs to pull in all the Rust libraries in the build environment and generate the entire package from scratch:

Step #1: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #1: Deploying container to Cloud Run service [sysutils-proxy-go] in project [comglitn] region [us-central1]
Step #1: Deploying new service...
Step #1: Setting IAM Policy............done
Step #1: Creating Revision.......................................................................................................................done
Step #1: Routing traffic.....done
Step #1: Done.
Step #1: Service [sysutils-proxy-go] revision [sysutils-proxy-go-00001-mdg] has been deployed and is serving 100 percent of traffic.
Step #1: Service URL: https://sysutils-proxy-go-1056842563084.us-central1.run.app
Finished Step #1
PUSH
DONE

When the build is complete- an endpoint will be returned. The service endpoint in this example is :

https://sysutils-proxy-rust-1056842563084.us-central1.run.app

The actual endpoint will vary based on your project settings.

Review Service in Cloud Run

Navigate to the Google Cloud console and search for Cloud Run -

and then you can detailed information on the Cloud Run Service:

Cloud Logging

The remote server writes logs to stderr in standard JSON format. These logs are available from the deployed Cloud Run Service:

Validate HTTP connection

Once you have the Endpoint — you can attempt a connection- navigate to in your browser:

https://sysutils-proxy-rust-1056842563084.us-central1.run.app

You will need to adjust the exact URL to match the URL returned from Cloud Build.

You will get an error- this connection is expecting a message in the MCP format:

Error: Forbidden
Your client does not have permission to get URL / from this server.

Configure the Cloud Run Proxy in Gemini Settings

A sample Gemini setup is provided for this scenario as well:

{
    "mcpServers": {
    "cloud-proxy-go": {
      "httpUrl": "http://127.0.0.1:3000/mcp"
    }
  }
}

Verify Proxy is Enforced

Start Gemini CLI to test the connection to the Cloud Run Service. At this point the Cloud Run Proxy has not been activated so the connection will fail:

✕ Error during discovery for MCP server 'cloud-proxy-go': fetch failed

 > /mcp list
Configured MCP servers:

🔴 cloud-proxy-go - Disconnected

Enabling Cloud Run Proxy

Cloud Run Proxy will be used to secure the connection from the local environment to the remote service. The proxy service must be running at the same time as Gemini CLI to route your calls to the remote Cloud Run Service. The Cloud Run Proxy is not usually installed as part of the base Google Cloud CLI tools- so you will get prompted to install the package in your environment. To start the proxy- open a new window and run the sample script:

xbill@penguin:~/iap-https-rust/proxy-rust$ source startproxy-go.sh 
--- Setting Google Cloud Environment Variables ---
Checking gcloud authentication status...
gcloud is authenticated.

Pausing command execution:

This command requires the `cloud-run-proxy` component to be installed. Would you like to install the `cloud-run-proxy` component to 
continue command execution? (Y/n)? y

ERROR: (gcloud.run.services.proxy) 
You cannot perform this action because the Google Cloud CLI component manager 
is disabled for this installation. You can run the following command 
to achieve the same result for this installation:

sudo apt-get install google-cloud-cli-cloud-run-proxy

xbill@penguin:~/$ sudo apt-get install google-cloud-cli-cloud-run-proxy
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  google-cloud-cli-cloud-run-proxy
0 upgraded, 1 newly installed, 0 to remove and 80 not upgraded.
Need to get 7,674 kB of archives.
After this operation, 21.4 MB of additional disk space will be used.
Get:1 https://packages.cloud.google.com/apt cloud-sdk/main amd64 google-cloud-cli-cloud-run-proxy amd64 538.0.0-0 [7,674 kB]
Fetched 7,674 kB in 1s (7,569 kB/s)                        
Selecting previously unselected package google-cloud-cli-cloud-run-proxy.
(Reading database ... 137857 files and directories currently installed.)
Preparing to unpack .../google-cloud-cli-cloud-run-proxy_538.0.0-0_amd64.deb ...
Unpacking google-cloud-cli-cloud-run-proxy (538.0.0-0) ...
Setting up google-cloud-cli-cloud-run-proxy (538.0.0-0) ...
Processing triggers for google-cloud-cli (529.0.0-0) ...
Processing triggers for google-cloud-cli-anthoscli (529.0.0-0) ...
Scanning processes...

Once the Google Cloud CLI package has been enabled — restart the proxy:

xbill@penguin:~/iap-https-rust/proxy-go$ source startproxy-go.sh 
--- Setting Google Cloud Environment Variables ---
Checking gcloud authentication status...
gcloud is authenticated.
Setting gcloud config project to: comglitn

You should see a message similar to this once it has started:

--- Environment setup complete ---
Starting Local Proxy
Proxying to Cloud Run service [sysutils-proxy-go] in project [comglitn] region [us-central1]
http://127.0.0.1:3000 proxies to https://sysutils-proxy-go-fgasxpwzoq-uc.a.run.app

Connect to Cloud Run MCP server

Once the Cloud Run proxy as been activated — keep it running and start a new terminal window. Start a fresh connection over the proxy to Gemini CLI:


 > /mcp list
Configured MCP servers:

🟢 cloud-proxy-go - Ready (2 tools)
  Tools:
  - disk_usage
  - local_system_info

and the tool can be inside the Cloud Run environment:

> call MCP tool local_system_info
✦ I'll fetch the detailed system information for you.

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Action Required │
│ │
│ ? local_system_info (cloud-proxy-go MCP Server) {} │
│ │
│ MCP Server: cloud-proxy-go │
│ Tool: local_system_info │
│ Allow execution of MCP tool "local_system_info" from server "cloud-proxy-go"? │
│ │
│ 1. Allow once │
│ 2. Allow tool for this session │
│ 3. Allow all server tools for this session │
│ ● 4. Allow tool for all future sessions │
│ 5. No, suggest changes (esc) │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ ✓ local_system_info (cloud-proxy-go MCP Server) {} │
│ │
│ System Information Report │
│ ========================= │
│ │
│ System Information │
│ --- │
│ System Name: linux │
│ OS Name: linux │
│ Host Name: localhost │
│ │
│ CPU Information │
│ --- │
│ Number of Cores: 2 │
│ │
│ Memory Information │
│ --- │
│ Total Memory: 1024 MB │
│ Used Memory: 2 MB │
│ Total Swap: 0 MB │
│ Used Swap: 0 MB │
│ │
│ Network Interfaces │
│ --- │
│ eth2 : RX: 24362 bytes, TX: 12042 bytes (MAC: 42:00:4e:49:43:00) │
│ lo : RX: 0 bytes, TX: 0 bytes (MAC: unknown) │
│ eth1 : RX: 0 bytes, TX: 0 bytes (MAC: unknown) │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✦ I have retrieved the local system information. Please let me know your next command or how you would like to
  proceed with the proxy-go project.

This validates the local vs Cloud Run environment as the system information returned is from the Cloud Run server- not the local environment.

Summary

The strategy for using Go for MCP development with Gemini CLI was validated with a incremental step by step approach.

A minimal HTTP transport MCP Server was started from Go source code and validated in the same local environment.

This MCP server was then deployed to Google Cloud Run as a secure service. The Cloud Run proxy was activated to secure the connection and validated with Gemini CLI running as a MCP client.

This approach can be extended to more complex deployments using other MCP transports and Cloud based options.

DEV Community