xbill for Google Developer Experts

Posted on Feb 15 • Originally published at xbill999.Medium on Feb 14

Secure MCP Development with Python, Cloud Run, and Cloud Run Proxy

#technology #googlecloudplatform #agents #mcpserver

Enabling Cloud Run Proxy support to secure remote access to MCP services.

What is this Tutorial Trying to Do?

The goal of the tutorial is to use Gemini CLI as a MCP client for secure access to remote MCP enabled services via the setup and configuration of the Cloud Run Proxy.

What is the Cloud Run Proxy?

The Cloud Run Proxy acts like a secure tunnel over the Internet and allows Cloud Run Services to be deployed with Authentication which limits the risk of unauthorized access.

The Cloud Run proxy provides a secure tunnel from your local environment to a Cloud Run Hosted Service:

gcloud run services proxy | Google Cloud SDK Documentation

Initial Environment Setup

The environment is meant to be run from a Bash like shell. You can run this from a Linux VM, ChromeOS Linux VM, Firebase Studio environment, or any environment that provides a basic shell. You will also need a working Docker environment.

Gemini CLI

If not pre-installed you can install the Gemini CLI to interact with the source files and provide real-time assistance:

sudo npm install -g @google/gemini-cli

Note- if you are an a non standard environment — you will need to make sure to have at least Node version 20 available in order to run Gemini CLI.

Testing the CLI Environment from the VM

Once you have all the tools and the correct Node.js version in place- you can test the startup of Gemini CLI. You will need to authenticate with a Key or your Google Account:

gemini

What Is Python?

Python is an interpreted language that allows for rapid development and testing and has deep libraries for working with ML and AI:

Welcome to Python.org

Python Version Management

One of the downsides of the wide deployment of Python has been managing the language versions across platforms and maintaining a supported version.

The pyenv tool enables deploying consistent versions of Python:

GitHub - pyenv/pyenv: Simple Python version management

As of writing — the mainstream python version is 3.13. To validate your current Python:

xbill@penguin:~$ python --version
Python 3.13.12

xbill@penguin:~$ pyenv version
3.13.12 (set by /home/xbill/.pyenv/version)

Python MCP Documentation

The official GitHub Repo provides samples and documentation for getting started:

GitHub - modelcontextprotocol/python-sdk: The official Python SDK for Model Context Protocol servers and clients

Can’t I just use FastMCP?

Fast MCP is a key part of the solution. Full documentation is available here:

Welcome to FastMCP 3.0! - FastMCP

Where do I start?

The strategy for starting MCP development is a incremental step by step approach.

First, the basic development environment is setup with the required system variables, and a working Gemini CLI configuration.

Then, a system info Python MCP Server is built with HTTP transport. This server is validated with Gemini CLI in the local environment.

This setup validates the connection from Gemini CLI to the local process via MCP. The MCP client (Gemini CLI) and the Python MCP server both run in the same local environment.

This entire solution is then deployed to Google Cloud Run in secure mode.

Gemini- CLI is used with Google Cloud Run proxy to verify the secure connection.

Setup the Basic Environment

At this point you should have a working Python environment and a working Gemini CLI installation. The next step is to clone the GitHub samples repository with support scripts:

cd ~
git clone https://github.com/xbill9/iap-https-rust

Then run init.sh from the cloned directory.

The script will attempt to determine your shell environment and set the correct variables:

cd iap-https-rust
source init.sh

If your session times out or you need to re-authenticate- you can run the set_env.sh script to reset your environment variables:

cd iap-https-rust
source set_env.sh

Variables like PROJECT_ID need to be setup for use in the various build scripts- so the set_env script can be used to reset the environment if you time-out.

Python Info Tool with HTTP Transport

One of the key features that the standard MCP libraries provide is abstracting various transport methods.

The high level MCP tool implementation is the same no matter what low level transport channel/method that the MCP Client uses to connect to a MCP Server.

The simplest transport that the SDK supports is the stdio (stdio/stdout) transport — which connects a locally running process. Both the MCP client and MCP Server must be running in the same environment.

The HTTP transport allows the MCP client and server to run on the sameo system or be distributed over the Internet.

The connection over HTTP will look similar to this:

# Initialize FastMCP
mcp = FastMCP(
    "proxy-python",
    port=int(os.environ.get("PORT", 8080)),
    host="0.0.0.0",
)

Running the Python Code

First- switch the directory with the Python version of the MCP sample code:

cd ~/iap-https-rust/proxy-python

Run the release version on the local system:

xbill@penguin:~/iap-https-rust/proxy-python$ make install
Defaulting to user installation because normal site-packages is not writeable
Processing ./.
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done

You can validate the final result by checking the messages:

Successfully built proxy-python
Installing collected packages: proxy-python
  Attempting uninstall: proxy-python
    Found existing installation: proxy-python 0.5.0
    Uninstalling proxy-python-0.5.0:
      Successfully uninstalled proxy-python-0.5.0
Successfully installed proxy-python-0.5.0

The project can also be linted:

xbill@penguin:~/iap-https-rust/proxy-python$ make lint
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: ruff in /home/xbill/.local/lib/python3.13/site-packages (0.14.4)
All checks passed!

And a test run:

xbill@penguin:~/iap-https-rust/proxy-python$ make test
Running tests...
.....
----------------------------------------------------------------------
Ran 5 tests in 0.010s

OK

Running the Tool Locally

Once the release version has been built- the resulting binary can be executed directly in the local environment.

The quick summary of local system info can be run right from the Makefile:

xbill@penguin:~/iap-https-rust/proxy-python$ make info
System Information Report
=========================

System Information
------------------
System Name: posix
OS Name: linux
Host Name: penguin

CPU Information
---------------
Number of Cores: 16

Memory Information
------------------
Total Memory: 6364 MB
Used Memory: 390 MB
Total Swap: 0 MB
Used Swap: 0 MB

Network Interfaces
------------------
lo : RX: 23285 bytes, TX: 23285 bytes (MAC: 00:00:00:00:00:00)
docker0 : RX: 0 bytes, TX: 0 bytes (MAC: 4e:a3:6a:33:b5:c6)
br-e70a18428e21 : RX: 168 bytes, TX: 636 bytes (MAC: d2:f5:fe:60:32:db)
vethae45816 : RX: 126 bytes, TX: 1798 bytes (MAC: 8a:26:e4:92:66:8f)
eth0 : RX: 82135233 bytes, TX: 25224037 bytes (MAC: 00:16:3e:07:39:7b)
vethbe6ba29 : RX: 126 bytes, TX: 1826 bytes (MAC: a2:53:6a:23:c8:b7)
xbill@penguin:~/iap-https-rust/proxy-python$

System Information with MCP HTTP Transport

One of the key features that the MCP protocol provides is abstracting various transport methods.

The high level tool MCP implementation is the same no matter what low level transport channel/method that the MCP Client uses to connect to a MCP Server.

The HTTP transport allows the MCP client and server to run in the same environment or be distributed over the Internet.

First- switch the directory with the HTTP sample code:

xbill@penguin:~/iap-https-rust/proxy-python$ make run
Running the MCP Streaming HTTP server...
2026-02-13 18:10:16,735 - proxy-python - INFO - Starting proxy-python MCP server (Transport: http)
INFO: Started server process [23783]
INFO: Waiting for application startup.
2026-02-13 18:10:16,757 - mcp.server.streamable_http_manager - INFO - StreamableHTTP session manager started
INFO: Application startup complete.
INFO: Uvicorn running on http://0.0.0.0:8080 (Press CTRL+C to quit)

This step validates that the tool can be started locally in streaming HTTP transport mode.

Deploying to Cloud Run

After the HTTP version of the MCP server has been tested locally — it can be deployed remotely to Google Cloud Run.

First- switch to the directory with the HTTP MCP sample code:

xbill@penguin:~/iap-https-rust/proxy-python$ make deploy

Deploy the project to Google Cloud Run with the pre-built cloudbuild.yaml and Dockerfile:

Deploying to Google Cloud Run...
Creating temporary archive of 11 file(s) totalling 15.5 KiB before compression.
Some files were not included in the source upload.

Check the gcloud log [/home/xbill/.config/gcloud/logs/2026.02.13/18.10.51.985103.log] to see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).

Uploading tarball of [.] to [gs://comglitn_cloudbuild/source/1771024252.184302-524bf67eb9f741419acaafdfa7e8e6c2.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/comglitn/locations/global/builds/ae57fb79-5dc6-4a9b-94e7-e94d2a5fc8c6].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/ae57fb79-5dc6-4a9b-94e7-e94d2a5fc8c6?project=1056842563084].
Waiting for build to complete. Polling interval: 1 second(s).

The Cloud Build will start:

Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/docker
Step #0: Sending build context to Docker daemon 26.11kB
Step #0: Step 1/6 : FROM python:3.13-slim
Step #0: 3.13-slim: Pulling from library/python

It can take 15–30 minutes to complete the build.

The cloud build needs to pull in all the Python libraries in the build environment and generate the entire package from scratch:

Step #1: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #1: Deploying container to Cloud Run service [sysutils-proxy-python] in project [comglitn] region [us-central1]
Step #1: Deploying...
Step #1: Setting IAM Policy.............done
Step #1: Creating Revision.....................................................................................................................................done
Step #1: Routing traffic.....done
Step #1: Done.
Step #1: Service [sysutils-proxy-python] revision [sysutils-proxy-python-00003-g6h] has been deployed and is serving 100 percent of traffic.
Step #1: Service URL: https://sysutils-proxy-python-1056842563084.us-central1.run.app

When the build is complete- an endpoint will be returned. The service endpoint in this example is :

https://sysutils-proxy-python-1056842563084.us-central1.run.app

The actual endpoint will vary based on your project settings.

Review Service in Cloud Run

Navigate to the Google Cloud console and search for Cloud Run -

and then you can detailed information on the Cloud Run Service:

Cloud Logging

The remote server writes logs to stderr in standard JSON format. These logs are available from the deployed Cloud Run Service:

Validate HTTP connection

Once you have the Endpoint — you can attempt a connection- navigate to in your browser:

https://sysutils-proxy-python-1056842563084.us-central1.run.app

You will need to adjust the exact URL to match the URL returned from Cloud Build.

You will get an error- this connection is expecting a message in the MCP format:

Error: Forbidden
Your client does not have permission to get URL / from this server.

Configure the Cloud Run Proxy in Gemini Settings

The stdio server checks the API key if it is provided. The set_key.sh scripts sets the environment variable from the Google Cloud settings. A sample Gemini setup is provided for this scenario as well:

 {
    "mcpServers": {
    "cloud-proxy-python": {
      "httpUrl": "http://127.0.0.1:3000/mcp"
    }
  }
}

Verify Proxy is Enforced

Start Gemini CLI to test the connection to the Cloud Run Service. At this point the Cloud Run Proxy has not been activated so the connection will fail:

✕ Error during discovery for MCP server 'cloud-proxy-python': fetch failed

 > /mcp list
Configured MCP servers:

🔴 cloud-proxy-python - Disconnected

Enabling Cloud Run Proxy

Cloud Run Proxy will be used to secure the connection from the local environment to the remote service. The proxy service must be running at the same time as Gemini CLI to route your calls to the remote Cloud Run Service. The Cloud Run Proxy is not usually installed as part of the base Google Cloud CLI tools- so you will get prompted to install the package in your environment. To start the proxy- open a new window and run the sample script:

xbill@penguin:~/iap-https-rust/proxy-python$ source startproxy-python.sh 
--- Setting Google Cloud Environment Variables ---
Checking gcloud authentication status...
gcloud is authenticated.

Pausing command execution:

This command requires the `cloud-run-proxy` component to be installed. Would you like to install the `cloud-run-proxy` component to 
continue command execution? (Y/n)? y

ERROR: (gcloud.run.services.proxy) 
You cannot perform this action because the Google Cloud CLI component manager 
is disabled for this installation. You can run the following command 
to achieve the same result for this installation: 

sudo apt-get install google-cloud-cli-cloud-run-proxy

xbill@penguin:~/$ sudo apt-get install google-cloud-cli-cloud-run-proxy
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  google-cloud-cli-cloud-run-proxy
0 upgraded, 1 newly installed, 0 to remove and 80 not upgraded.
Need to get 7,674 kB of archives.
After this operation, 21.4 MB of additional disk space will be used.
Get:1 [https://packages.cloud.google.com/apt](https://packages.cloud.google.com/apt) cloud-sdk/main amd64 google-cloud-cli-cloud-run-proxy amd64 538.0.0-0 [7,674 kB]
Fetched 7,674 kB in 1s (7,569 kB/s)                        
Selecting previously unselected package google-cloud-cli-cloud-run-proxy.
(Reading database ... 137857 files and directories currently installed.)
Preparing to unpack .../google-cloud-cli-cloud-run-proxy_538.0.0-0_amd64.deb ...
Unpacking google-cloud-cli-cloud-run-proxy (538.0.0-0) ...
Setting up google-cloud-cli-cloud-run-proxy (538.0.0-0) ...
Processing triggers for google-cloud-cli (529.0.0-0) ...
Processing triggers for google-cloud-cli-anthoscli (529.0.0-0) ...
Scanning processes...                                                                                                                    

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

Once the Google Cloud CLI package has been enabled — restart the proxy:

xbill@penguin:~/iap-https-rust/proxy-python$ source startproxy-python.sh 
--- Setting Google Cloud Environment Variables ---
Checking gcloud authentication status...
gcloud is authenticated.

You should see a message similar to this once it has started:

--- Environment setup complete ---
Starting Local Proxy
Proxying to Cloud Run service [sysutils-proxy-python] in project [comglitn] region [us-central1]
http://127.0.0.1:3000 proxies to https://sysutils-proxy-python-fgasxpwzoq-uc.a.run.app

Connect to Cloud Run MCP server

Once the Cloud Run proxy as been activated — keep it running and start a new terminal window. Start a fresh connection over the proxy to Gemini CLI:

 > /mcp list
Configured MCP servers:

🟢 cloud-proxy-python - Ready (2 tools)
  Tools:
  - disk_usage
  - local_system_info

and the tool can be inside the Cloud Run environment:

> call mcp tool local_system_info
✦ I will retrieve the local system information as requested.

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ ✓ local_system_info (cloud-proxy-python MCP Server) {} │
│ │
│ System Information Report │
│ ========================= │
│ │
│ System Information │
│ --- │
│ System Name: posix │
│ OS Name: linux │
│ Host Name: localhost │
│ │
│ CPU Information │
│ --- │
│ Number of Cores: 2 │
│ │
│ Memory Information │
│ --- │
│ Total Memory: 1024 MB │
│ Used Memory: 71 MB │
│ Total Swap: 0 MB │
│ Used Swap: 0 MB │
│ │
│ Network Interfaces │
│ --- │
│ lo : RX: 0 bytes, TX: 0 bytes (MAC: 00:00:00:00:00:00) │
│ eth1 : RX: 0 bytes, TX: 0 bytes (MAC: 00:00:00:00:00:00) │
│ eth2 : RX: 17055 bytes, TX: 10904 bytes (MAC: 42:00:4e:49:43:00) │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✦ The system information report shows that the system is running on Linux with 2 CPU cores and 1024 MB of total
  memory (71 MB used). It also lists the network interfaces lo, eth1, and eth2.

This validates the local vs Cloud Run environment as the system information returned is from the Cloud Run server- not the local environment.

Summary

The strategy for using Python for MCP development with Gemini CLI was validated with a incremental step by step approach.

A minimal HTTP transport MCP Server was started from Python source code and validated in the same local environment.

This MCP server was then deployed to Google Cloud Run as a secure service. The Cloud Run proxy was activated to secure the connection and validated with Gemini CLI running as a MCP client.

This approach can be extended to more complex deployments using other MCP transports and Cloud based options.

DEV Community