Postgres MCP Server — Deployment guide

This project exposes a generic MCP server that can perform read-only SQL queries against a Postgres database. Capabilities

• List tables in the connected database
• Describe table schemas Important: this server is intentionally generic and not tied to any specific school/schema. It can access any table in the configured database according to the DB credentials provided.

Goal: deploy on a Google Cloud VM and connect to a managed Postgres database (Cloud SQL), making the server available over the internet securely. High-level steps

1. Provision a VM (Debian/Ubuntu) in GCP.
2. Provision a Cloud SQL for Postgres instance (or install Postgres on the VM).
3. Configure networking: Use Cloud SQL Auth proxy or private IP, and configure firewall rules for the VM.
4. SSH into the VM, create a Python venv, install requirements, and configure env vars.
5. Run the postgres-erp-server via systemd (service unit provided in deploy/) or run the HTTP wrapper with uvicorn. Security recommendations

• Never expose the Postgres port (5432) directly to the public internet. Use Cloud SQL (private IP or Cloud SQL Auth Proxy) or a VPN.
• Restrict VM firewall to only required ports (e.g., 443/22), and use a reverse proxy (nginx) with TLS when exposing the MCP service.
• Store DB credentials in Secret Manager or use environment variables injected via a secure mechanism.
• Because the server can access any table, strongly restrict who can call the HTTP wrapper and use allowlists if needed (see below).

Quick deploy (summary)

• On GCP console: create VM (Debian/Ubuntu), create Cloud SQL Postgres instance.
• Option A: Connect via Cloud SQL Auth Proxy (recommended for managed Cloud SQL): run the proxy as a systemd service.
• Option B: Use Cloud SQL private IP and place the VM in the same VPC. See deploy/postgres-erp-server.service and deploy/cloud-sql-proxy.service for example service definitions.

Allowlist option

• If you want to restrict which schemas/tables are accessible via the HTTP wrapper, you can provide an allowlist (schema.table or table names) and the wrapper will refuse requests for non-allowed tables. Contact me and I can add an allowlist implementation.

If you'd like, I can also add an HTTPS wrapper (FastAPI) and instructions to configure nginx and TLS.

For nginx + TLS instructions, see deploy/README-nginx.md which includes sample nginx config and Certbot steps. Postgres MCP Server — Deployment guide

This project exposes an MCP server that performs SQL queries against a Postgres database.

Goal: deploy on a Google Cloud VM and connect to a managed Postgres database (Cloud SQL), making the server available over the internet securely.

High-level steps

1. Provision a VM (Debian/Ubuntu) in GCP.
2. Provision a Cloud SQL for Postgres instance (or install Postgres on the VM).
3. Configure networking: Use Cloud SQL Auth proxy or private IP, and configure firewall rules for the VM.
4. SSH into the VM, create a Python venv, install requirements, and configure env vars.
5. Run the postgres-erp-server via systemd (service unit provided in deploy/).

Security recommendations

• Never expose the Postgres port (5432) directly to the public internet. Use Cloud SQL (private IP or Cloud SQL Auth Proxy) or a VPN.
• Restrict VM firewall to only required ports (e.g., 443/22), and use a reverse proxy (nginx) with TLS when exposing the MCP service.
• Store DB credentials in Secret Manager or use environment variables injected via a secure mechanism.

Quick deploy (summary)

• On GCP console: create VM (Debian/Ubuntu), create Cloud SQL Postgres instance.
• Option A: Connect via Cloud SQL Auth Proxy (recommended for managed Cloud SQL): run the proxy as a systemd service.
• Option B: Use Cloud SQL private IP and place the VM in the same VPC.

See deploy/postgres-erp-server.service and deploy/cloud-sql-proxy.service for example service definitions.

If you'd like, I can also add an HTTPS wrapper (FastAPI) and instructions to configure nginx and TLS.