Skip to main content
Feedback

Google Gemini Setup and Configuration

Google Gemini Enterprise allows you to connect custom Model Context Protocol (MCP) servers as data stores, giving Gemini secure access to your company's private data, custom internal tools, and MCP-compliant third-party systems directly within the Google Cloud console. This is useful when standard pre-built connectors are unavailable, and you need to integrate internal or legacy systems.

This feature applies to the Standard, Plus, and Frontline editions of Gemini Enterprise.

Prerequisites

Before you can create a custom MCP server data store, several prerequisites must be met across organization policy, IAM permissions, and OAuth registration.

1. Override the Organization Policy Constraint

By default, Gemini Enterprise blocks the creation of custom MCP data stores using a managed organization policy constraint. An organization Policy Administrator must explicitly override this restriction before anyone in the project can create one.

Required role: Organization Policy Administrator (roles/orgpolicy.policyAdmin). This role is available only to project owners and is applicable only if your project is part of a Google Cloud organization.

Steps:

  1. In the Google Cloud console, go to the Organization Policies page.
  2. In the project selector, select the specific project for which you want to change enforcement. Setting the policy at the organization level changes enforcement for all projects in the organization, so target the project directly unless you intend org-wide enablement.
  3. In the Filter field, enter Disable custom mcp server connector for gemini enterprise.
  4. Click the policy name to navigate to the policy details page.
  5. Click Manage Policy.
  6. Select the option to Override parent's policy.
  7. Add a new rule and set the enforcement toggle to OFF.
  8. Click Set Policy.
  9. Verify that the policy status is updated to Not enforced.

Reference: Override the organization policy for Custom MCP data stores | Gemini Enterprise | Google Cloud Documentation

2. Grant the Discovery Engine Editor Role

The administrator who will create the data store needs the Discovery Engine Editor role.

  1. In the Google Cloud console, go to the IAM page.
  2. Locate the user account and click the Edit icon.
  3. Grant the Discovery Engine Editor role (roles/discoveryengine.editor).

3. Register Gemini Enterprise as an OAuth Client

If your MCP server requires authentication, you need to register Gemini Enterprise as an OAuth client application with your identity provider (for example, Okta, Azure AD, or Google).

  1. Register a new OAuth client application with your identity provider.
  2. Grant the necessary OAuth scopes to the client app.
  3. Obtain the client_id and client_secret — these are required when configuring the data store.

Creating the Custom MCP Server Data Store

Once the prerequisites are in place, follow these steps to create the data store:

  1. In the Google Cloud console, go to the Gemini Enterprise page.
  2. In the navigation menu, click Data stores.
  3. Click Create data store.
  4. On the "Select a data source" page, enter Custom MCP Server into the Search sources field. The Custom MCP Server (Preview) card displays.
  5. Click Add MCP server. The MCP Server Configuration page opens.
  6. In the Authentication settings section, enter the required values (your OAuth client ID, client secret, and any required scopes or endpoint URLs).
  7. Click Login and complete the sign-in flow.
  8. Click Continue. The Advanced options section opens.
  9. In the MCP Server Description field, enter a description that helps Gemini Enterprise understand what the server does and when to use it. See the "Writing Effective Server Descriptions" section below for guidance.
  10. Click Continue.
  11. In the Configure your data connector section, select the Location of your data connector from the Multi-region field list.
  12. In the Your data connector name field, enter a name for your data store.
  13. Click Create.

Gemini Enterprise creates your data store and displays it on the Data Stores page. Monitor the state of your data store until it changes from Creating to Active. Once Active, the data store is ready for use.

Enabling Actions (Tools)

By default, no tools or actions from your custom MCP server are enabled after creation. You must explicitly enable them before users can interact with the server through Gemini.

  1. Go to your custom MCP server data store.
  2. Click Actions > Reload custom actions to re-authenticate. This performs a tools/list call on your MCP server to retrieve all available tools, which are then displayed on screen.
  3. Select the actions you want to enable.
  4. Click Enable actions.

You can also manage actions after initial setup — adding new actions that were skipped during creation, enabling or disabling existing ones, and re-authenticating as needed.

Using the Data Store with a Custom Agent

If you want to query your MCP server through a custom agent rather than the default Gemini Enterprise assistant, you can:

  1. Create an agent using Agent Designer or the Agent Development Kit (ADK).
  2. Connect the custom MCP server data store to the agent.
  3. Authorize Gemini Enterprise to use the agent.
  4. Users can then interact with the custom agent through the Gemini Enterprise web app

Troubleshooting

Data store stuck in "Creating" state: Verify that your MCP server URL is correct and publicly accessible. Check that your OAuth credentials are valid and that the authentication flow completed successfully.

No actions/tools appearing: After the data store reaches Active status, you must explicitly reload and enable actions. Go to the data store, click Actions > Reload custom actions, re-authenticate, and enable the tools you need.

Organization policy blocking creation: Confirm that the Disable custom mcp server connector for gemini enterprise policy has been set to Not enforced for your specific project. Check with your Organization Policy Administrator.

Gemini is not routing queries to your data store: Review your MCP Server Description. If it lacks example triggering queries or is ambiguous about what the server handles, Gemini's orchestration system may not select it. See the description of best practices above.

Authentication failures: Verify that your OAuth client ID, client secret, and scopes are correct. Ensure that the identity provider has Gemini Enterprise registered as an authorized client application.

On this Page