Leveraging Gemini CLI and the underlying Gemini LLM to build Model Context Protocol (MCP) AI applications in the Rust programming language deployed to Google Cloud Run.
Why not just use Python?
Python has traditionally been the main coding language for ML and AI tools. One of the strengths of the MCP protocol is that the actual implementation details are independent of the development language. The reality is that not every project is coded in Python- and MCP allows you to use the latest AI appt roaches with other coding languages.
What is this Tutorial Trying to Do?
Building on previous tutorials, the goal is to extend a Rust MCP server with basic support for API key ennablement. The goal is allowing MCP servers to be deployed as unauthenticated Cloud Run endpoints but be protected by an API key.
What is Rust?
Rust is a high performance, memory safe, compiled language:
Rust provides memory safe operations beyond C/C++ and also can provide exceptional performance gains as it is compiled directly to native binaries.
Initial Environment Setup
The environment is meant to be run from a Bash like shell. You can run this from a Linux VM, ChromeOS Linux VM, Firebase Studio environment, or any environment that provides a basic shell. You will also need a working Docker environment.
Rust Setup
Instructions to install Rust are available here:
For a Linux like environment the command looks like this:
curl — proto ‘=https’ — tlsv1.2 -sSf https://sh.rustup.rs | sh
Rust also depends on a working C compiler and OpenSSL setup. For a Debian 12 system — install the basic tools for development:
sudo apt install build-essential
sudo apt install libssl-dev
sudo apt install pkg-config
sudo apt-get install libudev-dev
sudo apt install make
sudo apt install git
Gemini CLI
If not pre-installed you can download the Gemini CLI to interact with the source files and provide real-time assistance:
sudo npm install -g @google/gemini-cli
Note- if you are an a non standard environment — you will need to make sure to have at least Node version 20 available in order to run Gemini CLI.
Testing the Gemini CLI Environment
Once you have all the tools and the correct Node.js version in place- you can test the startup of Gemini CLI. You will need to authenticate with a Key or your Google Account:
gemini
Getting Started with Rust and MCP
When MCP was first released, there were several competing Rust frameworks that provided support for the protocol. Eventually, one official supported SDK was consolidated to provide a standard package for building MCP applications with Rust. This SDK is more like a toolbox that provides many options- clients/servers, different transports, and even more advanced integration options.
The official MCP Rust SDK (rmcp) is available here:
GitHub - modelcontextprotocol/rust-sdk: The official Rust SDK for the Model Context Protocol
Where do I start?
The strategy for validating Rust for MCP development is a incremental step by step approach.
First, the basic development environment is setup with the required system variables and a working Gemini CLI configuration.
A command line version of the System Information tool is built with Gemini CLI.
Then, a minimal Rust MCP Server is built with the stdio transport working directly with Gemini CLI in the local environment. This validates the connection from Gemini CLI to the local compiled Rust process via MCP. The MCP client (Gemini CLI) and the Rust MCP compiled binary Server both run in the same environment.
Setup the Basic Environment
At this point you should have a working Rust compiler and a working Gemini CLI installation. The next step is to clone the GitHub samples repository with support scripts:
cd ~
git clone https://github.com/xbill9/iap-https-rust
Then run init.sh from the cloned directory.
The script will attempt to determine your shell environment and set the correct variables:
cd iap-https-rust
source init.sh
If your session times out or you need to re-authenticate- you can run the set_env.sh script to reset your environment variables:
cd iap-https-rust
source set_env.sh
Variables like PROJECT_ID need to be setup for use in the various build scripts- so the set_env script can be used to reset the environment if you time-out.
Minimal System Information Tool Build
The first step is to build the basic tool directly with Rust. This allows the tool to be debugged and tested locally before adding the MCP layer.
All of the sample code is in the stdiokey directory-which is shorthand for stdio MCP server with an API key:
xbill@penguin:~/iap-https-rust/manual$
First build the tool locally:
xbill@penguin:~/iap-https-rust/manual$ make
Building the Rust project...
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.37s
xbill@penguin:~/iap-https-rust/manual$
then lint check the code:
xbill@penguin:~/iap-https-rust/manual$ make lint
Linting code...
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.59s
xbill@penguin:~/iap-https-rust/manual$
and run local tests:
xbill@penguin:~/iap-https-rust/manual$ make test
Running tests...
Finished `test` profile [unoptimized + debuginfo] target(s) in 0.10s
Running unittests src/main.rs (target/debug/deps/manual_https_rust-ae86282b192bd7e7)
running 4 tests
test tests::test_schema_generation ... ok
test tests::test_disk_usage ... ok
test tests::test_list_processes ... ok
test tests::test_sysutils_manual_rust ... ok
test result: ok. 4 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.10s
xbill@penguin:~/iap-https-rust/manual$
The last step is to build the production version:
xbill@penguin:~/iap-https-rust/manual$ make release
Building Release...
Finished `release` profile [optimized] target(s) in 0.36s
xbill@penguin:~/iap-https-rust/manual$
Running the Tool Locally
Once the release version has been built- the resulting binary can be executed directly in the local environment.
The quick summary of local system info can be run right from the Makefile:
xbill@penguin:~/iap-https-rust/manual$ make info
Error: MCP_API_KEY environment variable is not set.
Please set it before running 'make info', e.g.:
export MCP_API_KEY=$(gcloud services api-keys get-key-string ...)
make: *** [Makefile:70: info] Error 1
This call failed because no API key was provided on the command line or in the current environment.
The tool will also fail if an invalid key is passed:
xbill@penguin:~/iap-https-rust/manual$ export MCP_API_KEY=zoinks!
xbill@penguin:~/iap-https-rust/manual$ make info
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.38s
Running `target/debug/manual-https-rust info`
{"timestamp":"2026-02-10T23:01:53.427494Z","level":"INFO","fields":{"message":"Fetching MCP API Key for project: 1056842563084"},"target":"manual_https_rust"}
{"timestamp":"2026-02-10T23:01:54.898737Z","level":"INFO","fields":{"message":"Successfully fetched API key via gcloud"},"target":"manual_https_rust"}
MCP API Key Status
------------------
Provided Key: [FOUND]
Cloud Match: [MISMATCH]
Error: MCP_API_KEY is incorrect or missing.
make: *** [Makefile:71: info] Error 1
Setting an API Key
On project setup the init.sh script configures the Google Cloud environment and creates a sample key to secure the connection. To set this key in the current environment — use the set_key.sh script:
xbill@penguin:~/iap-https-rust/manual$ source ../set_key.sh
--- Setting Google Cloud Project ID ---
Using Google Cloud project: comglitn
Checking for existing MCP API Key...
Using existing MCP API Key: projects/1056842563084/locations/global/keys/cbd6422f-e594-4536-9ad9-6f179f43f11b
Retrieving API Key string...
MCP API Key retrieved and exported.
This key can be used with all variants that support API key validation:
- Rust: manual, local, stdiokey
- Python: manual-python, local-python, stdiokey-python
Ensure this script was sourced: source ./set_key.sh
--- Environment Checks ---
Not running in Google Cloud VM or Shell. Checking ADC...
Running on ChromeOS.
--- Initial Setup complete ---
The tool can now execute:
xbill@penguin:~/iap-https-rust/manual$ make info
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.15s
Running `target/debug/manual-https-rust info`
{"timestamp":"2026-02-10T23:03:11.668821Z","level":"INFO","fields":{"message":"Fetching MCP API Key for project: 1056842563084"},"target":"manual_https_rust"}
{"timestamp":"2026-02-10T23:03:13.217355Z","level":"INFO","fields":{"message":"Successfully fetched API key via gcloud"},"target":"manual_https_rust"}
System Information Report
=========================
MCP API Key Status
------------------
Provided Key: [FOUND]
Cloud Match: [MATCHED]
System Information with MCP HTTP Transport
One of the key features that the Rust rmcp SDK provides is abstracting various transport methods.
The high level tool MCP implementation is the same no matter what low level transport channel/method that the MCP Client uses to connect to a MCP Server.
The simplest transport that the SDK supports is the stdio (stdio/stdout) transport — which connects a locally running process. Both the MCP client and MCP Server must be running in the same environment.
The HTTPS transport allows the MCP client and server to run on the same server or be distributed over the Internet.
First- switch the directory with the Rust HTTP sample code:
xbill@penguin:~/iap-https-rust/manual$ make release
Building Release...
Finished `release` profile [optimized] target(s) in 0.10s
xbill@penguin:~/iap-https-rust/manual$
Deploying to Cloud Run
After the HTTP version of the MCP server has been tested locally — it can be deployed remotely to Google Cloud Run.
First- switch to the directory with the HTTP MCP sample code:
xbill@penguin:~/iap-https-rust/manual$
Deploy the project to Google Cloud Run with the pre-built cloudbuild.yaml and Dockerfile:
xbill@penguin:~/iap-https-rust/manual$ make deploy
Submitting build to Google Cloud Build...
Removed 0 files
Creating temporary archive of 9 file(s) totalling 108.5 KiB before compression.
Uploading tarball of [.] to [gs://comglitn_cloudbuild/source/1770764881.036038-1d2bdfd0c2934ff4a6c5695aea782857.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/comglitn/locations/global/builds/a0bdd66b-ffce-432c-a372-2f16e58013d4].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/a0bdd66b-ffce-432c-a372-2f16e58013d4?project=1056842563084].
Waiting for build to complete. Polling interval: 1 second(s).
------------------------------------------------------------ REMOTE BUILD OUTPUT -------------------------------------------------------------
starting build "a0bdd66b-ffce-432c-a372-2f16e58013d4"
FETCHSOURCE
The Cloud Build will start:
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/docker
Step #0: Sending build context to Docker daemon 120.3kB
Step #0: Step 1/10 : FROM rust as builder
Step #0: latest: Pulling from library/rust
Step #0: ef235bf1a09a: Already exists
Step #0: 954d6059ca7b: Pulling fs layer
Step #0: b5e2021c4c8b: Pulling fs layer
Step #0: 128c71264009: Pulling fs layer
It can take 15–30 minutes to complete the build.
The cloud build needs to pull in all the Rust libraries in the build environment and generate the entire package from scratch:
Starting Step #1
Step #1: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #1: Deploying container to Cloud Run service [sysutils-manual-rust] in project [comglitn] region [us-central1]
Step #1: Deploying...
Step #1: Setting IAM Policy............done
Step #1: Creating Revision..........................................................................................................................................................................done
Step #1: Routing traffic.....done
Step #1: Done.
Step #1: Service [sysutils-manual-rust] revision [sysutils-manual-rust-00015-sbd] has been deployed and is serving 100 percent of traffic.
Step #1: Service URL: https://sysutils-manual-rust-1056842563084.us-central1.run.app
Finished Step #1
When the build is complete- an endpoint will be returned. The service endpoint in this example is :
https://sysutils-manual-rust-1056842563084.us-central1.run.app
The actual endpoint will vary based on your project settings.
Review Service in Cloud Run
Navigate to the Google Cloud console and search for Cloud Run -
and then you can detailed information on the Cloud Run Service:
Cloud Logging
The remote server writes logs to stderr in standard JSON format. These logs are available from the deployed Cloud Run Service:
Validate HTTP connection
Once you have the Endpoint — you can attempt a connection- navigate to in your browser:
https://sysutils-manual-rust-1056842563084.us-central1.run.app
You will need to adjust the exact URL to match the URL returned from Cloud Build.
You will get an error- this connection is expecting a message in the MCP format:
Unauthorized
Pass the API Key in Gemini Settings
The stdio server checks the API key if it is provided. The set_key.sh scripts sets the environment variable from the Google Cloud settings:
xbill@penguin:~/iap-https-rust/manual$ source ../set_key.sh
--- Setting Google Cloud Project ID ---
Using Google Cloud project: comglitn
Checking for existing MCP API Key...
Using existing MCP API Key: projects/1056842563084/locations/global/keys/cbd6422f-e594-4536-9ad9-6f179f43f11b
Retrieving API Key string...
MCP API Key retrieved and exported.
This key can be used with all variants that support API key validation:
- Rust: manual, local, stdiokey
- Python: manual-python, local-python, stdiokey-python
Ensure this script was sourced: source ./set_key.sh
--- Environment Checks ---
Not running in Google Cloud VM or Shell. Checking ADC...
Running on ChromeOS.
--- Initial Setup complete ---
xbill@penguin:~/iap-https-rust/manual$
A sample Gemini setup is provided for this scenario as well:
{
"mcpServers": {
"sysutils-manual-rust": {
"httpUrl": "https://sysutils-manual-rust-1056842563084.us-central1.run.app/mcp",
"headers": {
"X-Goog-Api-Key": "$MCP_API_KEY"
}
}
}
}
Next Gemini CLI is used to check the MCP connection settings:
> /mcp list
Configured MCP servers:
🟢 sysutils-manual-rust - Ready (3 tools)
Tools:
- disk_usage
- list_processes
- sysutils_manual_rust
The local MCP Server (sysutils-manual-rust) can now be used directly using Gemini CLI as a MCP client. This is the same Rust binary that was tested locally as a standalone build:
> run mcp tool sysutils-manual-rust
✦ I will run the sysutils_manual_rust tool to provide you with a detailed system information report.
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Action Required │
│ │
│ ? sysutils_manual_rust (sysutils-manual-rust MCP Server) {} │
│ │
│ MCP Server: sysutils-manual-rust │
│ Tool: sysutils_manual_rust │
│ Allow execution of MCP tool "sysutils_manual_rust" from server "sysutils-manual-rust"? │
│ │
│ 1. Allow once │
│ 2. Allow tool for this session │
│ 3. Allow all server tools for this session │
│ ● 4. Allow tool for all future sessions │
│ 5. No, suggest changes (esc) │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✦ The sysutils_manual_rust tool has been executed. Here is the system information report:
1 System Information Report
2 =========================
3
4 Authentication: [VERIFIED] (Running as MCP Server)
5
6 IAP Context & Identity
7 ----------------------
8 Header Source: x-goog-iap-jwt-assertion
9 API Key Security: Enabled (MCP_API_KEY set)
10 Status: No IAP JWT found (Expected in production Cloud Run environment)
11
12 HTTP Request Headers
13 --------------------
14 Status: No request headers captured (CLI mode or capture error)
15
16 IAP Setup Configuration
17 -----------------------
18 Status: No IAP configuration files found in current directory.
19
20 System Information
21 ------------------
22 System Name: Debian GNU/Linux
23 Kernel Version: 4.4.0
24 OS Version: 12
25 Host Name: localhost
26
27 CPU Information
28 ---------------
29 Number of Cores: 2
30
31 Memory Information
32 ------------------
33 Total Memory: 1024 MB
34 Used Memory: 8 MB
35 Total Swap: 0 MB
36 Used Swap: 0 MB
37
38 Network Interfaces
39 ------------------
Verify Key Enforcement
To check that the key is used to control access to the Cloud Run service- set the key to an invalid value:
xbill@penguin:~/iap-https-rust/manual$ export MCP_API_KEY=ferris4thewin!
xbill@penguin:~/iap-https-rust/manual$
Then restart Gemini CLI and check the MCP connection- it will fail:
ℹ MCP server 'sysutils-manual-rust' requires authentication using: /mcp auth sysutils-manual-rust
> /mcp list
Configured MCP servers:
🔴 sysutils-manual-rust - Disconnected (OAuth not authenticated)
Project Package Details
The manual API project has been published to crates.io:
crates.io: Rust Package Registry
Summary
The potential for using Rust for MCP development with Gemini CLI was validated with a incremental step by step approach.
A minimal HTTP transport MCP Server was built from Rust source code and validated with Gemini CLI running as a MCP client in the same local environment.
Then this entire solution was published to Google Cloud Run and tested with a MCP_API_KEY.
This approach can be extended to more complex deployments using other MCP transports and Cloud based options.
Top comments (0)