# BigQuery MCP — Protected Mode for PHI/PII Guardrails > BigQuery MCP runs BigQuery queries from Claude Desktop and can block sensitive columns in Protected Mode so PHI/PII never enters the LLM context. ## Install Merge the JSON below into your `.mcp.json`: ## Quick Use 1. Authenticate (dev): ```bash gcloud auth application-default login ``` 2. Add to `claude_desktop_config.json`: ```json { "mcpServers": { "bigquery": { "command": "npx", "args": ["-y", "@ergut/mcp-bigquery-server", "--project-id", "your-project-id"] } } } ``` 3. Verify: ask Claude to list datasets, then run a small `SELECT ... LIMIT 10` against a safe table. ## Intro BigQuery MCP runs BigQuery queries from Claude Desktop and can block sensitive columns in Protected Mode so PHI/PII never enters the LLM context. - **Best for:** teams querying BigQuery via agents where field-level data egress control matters as much as IAM - **Works with:** Node.js 14+, gcloud ADC or service-account key files, Claude Desktop MCP integration - **Setup time:** 10-25 minutes ## Practical Notes - Quant: Protected Mode supports a `config.json` to prevent specific columns from ever being returned to the LLM context. - Quant: always start with small limits and a bytes-billed cap before you let agents explore large datasets. ## Why it matters BigQuery access is powerful but risky for regulated data. This server is notable because it treats field-level restrictions as a first-class guardrail for agent workflows. - Quick-start is concrete (npx + project id), minimizing setup friction for data teams. - Protected Mode is explicitly designed for PHI/PII and similar sensitive columns. - The README clearly explains the difference between IAM reachability and LLM context egress boundaries. ## Rollout pattern - Start in a dev project with sanitized datasets and verify query limits and output formatting. - Introduce Protected Mode configs before any production data touches the agent. - Add a separate “analysis allowed” allowlist of datasets and keep everything else blocked by default. ## Watchouts BigQuery IAM controls who can run queries, not what ends up in the LLM conversation. Use Protected Mode (or a view-based approach) to prevent sensitive columns from being returned. ### FAQ **Q: Is it only for Claude Desktop?** A: The README calls out Claude Desktop as the currently supported interface; treat it as the reference client setup. **Q: What is the safest default?** A: Simple Mode with small limits, then Protected Mode with prevented fields for regulated data. **Q: How should I authenticate in production?** A: Use a service account key file (or a workload identity pattern) and keep permissions narrowly scoped. ## Source & Thanks > Source: https://github.com/ergut/mcp-bigquery-server > License: MIT > GitHub stars: 138 · forks: 33 --- ## 快速使用 1. 鉴权(开发环境): ```bash gcloud auth application-default login ``` 2. 写入 `claude_desktop_config.json`: ```json { "mcpServers": { "bigquery": { "command": "npx", "args": ["-y", "@ergut/mcp-bigquery-server", "--project-id", "your-project-id"] } } } ``` 3. 验证:先列出 dataset,再对安全表跑 `SELECT ... LIMIT 10`。 ## 简介 BigQuery MCP 让 Claude Desktop 直接查询 BigQuery,并通过 Protected Mode 配置字段级限制,避免 PHI/PII 等敏感列进入 LLM 上下文,适合合规要求更高的数据分析场景。 - **适合谁:** 需要用 Agent 查 BigQuery 且“字段级外发控制”与 IAM 同等重要的团队 - **可搭配:** Node.js 14+、gcloud ADC 或服务账号 key、Claude Desktop 的 MCP 集成 - **准备时间:** 10-25 分钟 ## 实战建议 - 量化信息:Protected Mode 可通过 `config.json` 阻止敏感字段被返回,从源头减少外发风险。 - 量化信息:先把 LIMIT 和 bytes-billed 上限设小,再逐步扩大探索范围。 ## 为什么值得收录 让 Agent 查 BigQuery 的能力很强,但在合规数据上风险更高。这个项目的亮点是把“字段级限制”当作第一等护栏来设计,而不是事后靠提示词约束。 - Quick start 直接 npx + project id,降低数据团队接入成本。 - Protected Mode 面向 PHI/PII 这类敏感字段做了明确设计。 - 解释了 IAM 与 LLM 上下文外发边界的差异,安全意识更到位。 ## 落地路径 - 先在 dev 项目用脱敏数据集验证 LIMIT/输出格式/成本上限。 - 任何生产数据进入 Agent 之前先上 Protected Mode 配置。 - 建立 dataset allowlist:允许分析的集合明确列出,其余默认禁止。 ## 注意事项 IAM 只决定能不能查,并不决定“返回给 LLM 的内容”。建议用 Protected Mode(或视图隔离)避免敏感字段被返回。 ### FAQ **只能给 Claude Desktop 用吗?** 答:README 表示目前支持的界面以 Claude Desktop 为主,可把它当作参考客户端。 **最安全的默认姿态?** 答:先 Simple Mode + 小 LIMIT,再对合规数据用 Protected Mode 禁止敏感字段。 **生产环境如何鉴权?** 答:用服务账号 key(或工作负载身份),并把权限收紧到最小范围。 ## 来源与感谢 > Source: https://github.com/ergut/mcp-bigquery-server > License: MIT > GitHub stars: 138 · forks: 33 --- Source: https://tokrepo.com/en/workflows/bigquery-mcp-protected-mode-for-phi-pii-guardrails Author: MCP Hub