How to add BigQuery MCP Server to Windsurf
Secure, read-only access to Google BigQuery datasets for LLMs, with field-level PII/PHI protection. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 14, 2026 · 142★ · stdio · no auth
Windsurf config for BigQuery MCP Server
npx -y @ergut/mcp-bigquery-server --project-id your-project-id{
"mcpServers": {
"bigquery-mcp-server": {
"command": "npx",
"args": [
"-y",
"@ergut/mcp-bigquery-server",
"--project-id",
"your-project-id"
]
}
}
}Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the BigQuery MCP Server config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5BigQuery MCP Server's tools become available to Cascade.
Before you start
- Node.js 14 or higher
- Google Cloud project with BigQuery enabled
- Google Cloud CLI installed or a service account key file
- Any MCP-compatible client (Claude Desktop, Claude Code, etc.)
What BigQuery MCP Server can do in Windsurf
queryRun a read-only BigQuery SQL query. Accepts a `sql` string argument; only SELECT statements pass BigQuery's dry-run validation, and INFORMATION_SCHEMA queries are auto-qualified to the project. Results respect the configured maximumBytesBilled limit and any active field/table protection rules.
Security
Read-only by design — only SELECT statements pass BigQuery's dry-run validation; mutating statements (INSERT, UPDATE, DELETE, DROP, TRUNCATE, EXPORT DATA, MERGE) are rejected. Protected Mode lets admins define preventedFields to block sensitive columns (PII/PHI/financial/secrets) from entering LLM responses, with an optional auto-scanner across all datasets. Per the README, field restrictions are cooperative guardrails for AI agents, not a hard SQL firewall against adversarial attackers (see PROTECTION.md). Query results are sent to the LLM provider for processing and thus leave your network; run locally for sensitive data. Configurable per-query billing cap (maximumBytesBilled, default 1GB) via config.json or --maximum-bytes-billed. Keep service account key files secure and never commit them.
BigQuery MCP Server + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the BigQuery MCP Server config there under the "mcpServers" key and restart the client.
Is BigQuery MCP Server safe to use with Windsurf?
Read-only by design — only SELECT statements pass BigQuery's dry-run validation; mutating statements (INSERT, UPDATE, DELETE, DROP, TRUNCATE, EXPORT DATA, MERGE) are rejected. Protected Mode lets admins define preventedFields to block sensitive columns (PII/PHI/financial/secrets) from entering LLM responses, with an optional auto-scanner across all datasets. Per the README, field restrictions are cooperative guardrails for AI agents, not a hard SQL firewall against adversarial attackers (see PROTECTION.md). Query results are sent to the LLM provider for processing and thus leave your network; run locally for sensitive data. Configurable per-query billing cap (maximumBytesBilled, default 1GB) via config.json or --maximum-bytes-billed. Keep service account key files secure and never commit them.
Can the AI agent modify or delete my data?
No. The server is read-only by design. Only SELECT statements are allowed and each query is validated by BigQuery's dry-run planner before execution, so INSERT, UPDATE, DELETE, DROP, TRUNCATE, EXPORT DATA, and MERGE are all rejected.
How does it authenticate to Google Cloud?
Either via Application Default Credentials (`gcloud auth application-default login`, good for development) or a service account key file passed with the --key-file argument (recommended for production). Keep service account key files secure and never commit them to version control.
What is the difference between Simple Mode and Protected Mode?
Simple Mode runs with no config file, applies safe defaults (1GB query limit) and no field restrictions — suitable for personal projects and non-sensitive data. Protected Mode is enabled by passing --config-file and lets you define preventedFields, choose a protectionMode (off, allowedTables, autoProtect), and run an auto-scanner that discovers sensitive columns across all datasets.