All posts
June 18, 20263 min read

Configuring MCP servers access to BigQuery with just-in-time access

Many engineers assume that giving an MCP server a permanent service‑account key is the simplest way to let it query BigQuery. The reality is that static credentials linger long after a project ends, they can be copied by any compromised process, and they make granular revocation impossible. When a data‑science workload finishes, the same key often remains active, providing a backdoor for lateral movement. Just-in-time access solves this problem by issuing short‑lived, purpose‑bound permissions o

Free White Paper

Just-in-Time Access + Mean Time to Detect (MTTD): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many engineers assume that giving an MCP server a permanent service‑account key is the simplest way to let it query BigQuery. The reality is that static credentials linger long after a project ends, they can be copied by any compromised process, and they make granular revocation impossible. When a data‑science workload finishes, the same key often remains active, providing a backdoor for lateral movement. Just-in-time access solves this problem by issuing short‑lived, purpose‑bound permissions only at the moment a query is needed.

Why just-in-time access matters for BigQuery

BigQuery stores massive analytical datasets, often containing personally identifiable information. Regulatory frameworks expect you to limit exposure to the smallest possible window. A just-in-time model ensures that an MCP server receives a token that is valid for a single request or a brief session, and that the token carries only the scopes required for the specific query. This reduces blast radius, simplifies key rotation, and provides clear audit trails that map each query back to the originating identity.

Setup: identity and provisioning

The first layer of control is identity. Your organization should federate user identities with an OIDC or SAML provider such as Okta, Azure AD, or Google Workspace. Each engineer or service account receives a token that encodes group membership and purpose. When an MCP server needs to run a query, it presents the user’s token to the access gateway. The gateway validates the token, extracts the identity, and maps it to a short‑lived GCP OAuth token or a per‑user service‑account impersonation, depending on your federation configuration. This step decides who can start a request, but it does not enforce what the request can do.

The data path: where enforcement lives

All traffic from the MCP server to BigQuery must pass through a Layer 7 gateway that can inspect the BigQuery protocol, apply policies, and record the interaction. By placing the gateway on the network edge, you guarantee that no request reaches the warehouse without first being evaluated. This is the only place where you can reliably enforce just-in-time approval, mask sensitive result fields, or block dangerous SQL patterns.

Enforcement outcomes with hoop.dev

hoop.dev implements the data‑path gateway. When a request arrives, hoop.dev checks the identity supplied by the setup layer, then applies the configured policy set. If the policy requires human approval for a particular dataset, hoop.dev routes the request to an approver and only forwards it once consent is recorded. For queries that may return credit‑card numbers or Social Security numbers, hoop.dev masks those fields in the response before they reach the MCP server. Every session, successful or denied, is recorded, enabling replay for forensic analysis and providing the evidence needed for compliance audits.

Continue reading? Get the full guide.

Just-in-Time Access + Mean Time to Detect (MTTD): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

High‑level workflow

  • Deploy the gateway near your BigQuery endpoint using the provided Docker Compose or Kubernetes manifest.
  • Register BigQuery as a connection in the gateway, supplying the credential that the gateway will use to talk to the warehouse.
  • Configure the gateway to trust tokens from your OIDC provider and to map groups to per‑user GCP OAuth scopes.
  • Define just-in-time policies that specify which groups may query which datasets, which queries require approval, and which result fields must be masked.
  • When an MCP server initiates a query, it presents the user’s OIDC token to the gateway. hoop.dev validates the token, enforces the policies, and either forwards the request, asks for approval, or blocks it.
  • All activity is logged and can be replayed from the dashboard or exported for audit purposes.

Getting started

For a step‑by‑step walkthrough of deploying the gateway and registering a BigQuery connection, see the getting‑started guide. The learn section contains deeper explanations of policy syntax, masking rules, and approval workflows.

FAQ

Do I still need to manage service‑account keys for BigQuery?

No. hoop.dev holds the credential that talks to BigQuery, while end users and MCP servers only ever see short‑lived tokens issued by your identity provider.

Can I audit who ran which query and when?

Yes. hoop.dev records each session, including the identity, the exact SQL statement, and the approval status, providing a complete audit trail.

What happens if a query tries to return a column marked as sensitive?

hoop.dev masks the designated fields in real time, so the MCP server never receives raw sensitive data.

Ready to try it yourself? Explore the open‑source repository on GitHub and start securing your BigQuery workloads with just-in-time access today.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot