access

This MCP server automates access management for the MCP community resources by leveraging Pulumi to manage GCP and Google Workspace configurations. It synchronizes GitHub Teams with the MCP GitHub organization and keeps Google Workspace groups in sync for @modelcontextprotocol.io email accounts. Email groups can accept external posts with moderation enabled for security. Use the repository’s Makefile targets and the GitHub Actions workflow to apply changes automatically when merging to main. You can review and adjust the group and user definitions in src/config/groups.ts and src/config/users.ts to reflect your desired access policies.

Prerequisites:

• Pulumi CLI installed: https://www.pulumi.com/docs/get-started/install/
• Google Cloud SDK installed: https://cloud.google.com/sdk/docs/install
• Access to the GCP project and Google Workspace admin privileges

Installation steps:

1. Authenticate with GCP and set up your project: gcloud projects create mcp-access-prod gcloud config set project mcp-access-prod gcloud services enable storage.googleapis.com gcloud services enable admin.googleapis.com gcloud services enable groupssettings.googleapis.com

2. Create and configure the Pulumi service account and state backend following the repository’s Initial Setup guidance (as described in the README):

• Create service account, assign storage admin role, and generate sa-key.json
• Create Pulumi state bucket: gs://mcp-access-prod-pulumi-state
• Initialize Pulumi backend and stack: pulumi login gs://mcp-access-prod-pulumi-state export PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.prod.txt pulumi stack init prod

3. Provide credentials and secrets to Pulumi: pulumi config set --secret googleworkspace:credentials "$(cat sa-key.json)" pulumi config set --secret github:token "<your_github_token>"

4. Configure GitHub Actions secrets in the repository settings as documented:

• GCP_PROD_SERVICE_ACCOUNT_KEY: contents of sa-key.json
• PULUMI_PROD_PASSPHRASE: your passphrase

5. Preview and apply changes via the repository targets or the GitHub Actions workflow: make preview make up

Notes:

• The deployment is automated on merges to main via GitHub Actions, but you can perform manual deployment using the Make targets described in the README (make preview, make up).
• Keep your Pulumi passphrase secure. If lost, encrypted values in stack configurations cannot be decrypted.
• Ensure the GCS bucket and IAM permissions are correctly configured to avoid Pulumi state write failures.
• Review src/config/groups.ts and src/config/users.ts to align membership logic with your organization’s access policy.
• If you need to revoke access, update the configuration files and re-run the deployment workflow.