Production-ready Model Context Protocol server for Fivetran, Claude Code and Gemini CLI-compatible, deployed as a remote MCP Server on Google Cloud Run.
Based on: Official Fivetran MCP Server by Fivetran
Cloud Run Extension: Mark Rittman (@markrittman) | Rittman Analytics
This project is based on the official Fivetran MCP Server, which provided the original set of Fivetran MCP tools using the stdio transport. We extended it significantly for production Cloud Run deployment:
| What changed | Detail |
|---|---|
| Transport | Replaced stdio with HTTP (FastAPI) for Cloud Run |
| Authentication | Per-request header auth (X-Fivetran-API-Key / X-Fivetran-API-Secret) |
| Tool count | Expanded from 25 to 78 tools covering the full Fivetran REST API |
| Test suite | 225 tests at 94% coverage (unit, integration, protocol, e2e) |
| OAuth 2.1 layer | Optional OAuth flow for Claude.ai web integration |
| GCP Secret Manager | Encrypted credential storage for the OAuth flow |
| Containerisation | Dockerfile + Cloud Build + one-command deployment scripts |
The Fivetran MCP Server lets Claude manage your Fivetran account through natural language. Ask Claude to:
- List all connections and check their sync status
- Create new connectors to SaaS tools, databases, or files
- Trigger, pause, or resume syncs
- Enable or disable specific tables and columns
- Run dbt transformations
- Manage destinations, groups, users, and webhooks
All 78 operations map directly to the Fivetran REST API v1.
- Google Cloud Platform account with billing enabled
gcloudCLI installed and authenticated- Docker (for local testing only)
- GCP roles: Cloud Run Admin, Secret Manager Admin, Service Account Admin, Cloud Build Editor
git clone https://github.com/rittmananalytics/Fivetran-MCP-Server-on-Cloud-Run.git
cd Fivetran-MCP-Server-on-Cloud-Run
export GCP_PROJECT_ID="your-gcp-project-id"
export CLOUD_RUN_REGION="europe-west2" # change to your preferred regionchmod +x setup-service-account.sh
./setup-service-account.shThis creates a service account with permissions for Secret Manager and Cloud Logging.
chmod +x deploy.sh
./deploy.shThe script will:
- Enable required GCP APIs
- Build the container image using Cloud Build
- Store a generated JWT secret in Secret Manager
- Deploy the service to Cloud Run
- Print the service URL
SERVICE_URL=$(gcloud run services describe fivetran-mcp-server \
--platform managed --region ${CLOUD_RUN_REGION} \
--format 'value(status.url)')
curl ${SERVICE_URL}/health
# {"status":"healthy","version":"2.0.0"}After deployment you'll have these endpoints:
| Endpoint | Purpose |
|---|---|
https://your-service-url/health |
Health check |
https://your-service-url/mcp |
MCP JSON-RPC |
https://your-service-url/authorize |
OAuth 2.1 authorisation |
https://your-service-url/token |
OAuth 2.1 token |
git pull
./deploy.sh| Service | Cost |
|---|---|
| Cloud Run | ~$0 at rest; ~$0.10–$1/day under active use |
| Secret Manager | $0.06 per 10,000 accesses |
| Cloud Build | 120 build-minutes/day free |
| Total | < $5/month for light usage |
This is the simplest approach — credentials are passed as HTTP headers on every request.
Add the following to ~/.claude/mcp_settings.json:
{
"mcpServers": {
"fivetran": {
"url": "https://YOUR-SERVICE-URL/mcp",
"transport": "http",
"headers": {
"X-Fivetran-API-Key": "YOUR_FIVETRAN_API_KEY",
"X-Fivetran-API-Secret": "YOUR_FIVETRAN_API_SECRET"
}
}
}
}Get your API credentials from Fivetran dashboard → Account → Settings → API Config.
Restart Claude Code after editing mcp_settings.json.
If you prefer not to store credentials in config files, use the OAuth flow:
{
"mcpServers": {
"fivetran": {
"url": "https://YOUR-SERVICE-URL/mcp",
"transport": "http",
"auth": {
"type": "oauth2",
"authorizationUrl": "https://YOUR-SERVICE-URL/authorize",
"tokenUrl": "https://YOUR-SERVICE-URL/token",
"clientId": "claude-code",
"scopes": ["fivetran:read", "fivetran:write"]
}
}
}
}On first use, Claude will provide an authorisation URL. Open it, enter your Fivetran credentials, and a JWT token (valid for 1 hour) will be issued and stored.
In Claude Code, ask:
List my Fivetran connections
Claude will call list_connections and return your connectors.
This repo includes a Claude Code skill at .claude/skills/fivetran/SKILL.md that provides Claude with detailed guidance on all 78 tools, common workflows, and safety guidelines.
The skill activates automatically when you're working with Fivetran topics. You can also invoke it directly with /fivetran.
| Tool | Description |
|---|---|
get_account_info |
Get account information for the current credentials |
| Tool | Description |
|---|---|
list_connections |
List all connections (auto-paginates) |
create_connection |
Create a new connection |
get_connection_details |
Full details including status and config |
modify_connection |
Update settings (sync frequency, paused, etc.) |
delete_connection |
Destructive. Permanently delete a connection |
get_connection_state |
Detailed sync state |
modify_connection_state |
Update sync state |
sync_connection |
Trigger an immediate sync |
resync_connection |
Full historical re-sync |
resync_tables |
Re-sync specific tables |
run_connection_setup_tests |
Verify connection config |
create_connect_card |
Create embed token for Fivetran setup UI |
get_connection_url |
Dashboard URL for a connection |
| Tool | Description |
|---|---|
get_connection_schema_config |
Which tables and columns are enabled |
reload_connection_schema_config |
Discover new tables from source |
modify_connection_schema_config |
Bulk enable/disable schemas and tables |
modify_connection_database_schema_config |
Update a specific database schema |
get_connection_column_config |
Column-level config for a table |
modify_connection_table_config |
Enable or disable a table |
modify_connection_column_config |
Enable/disable or hash a column |
delete_connection_column_config |
Remove a blocked column config entry |
delete_multiple_columns_connection_config |
Remove multiple blocked column entries |
| Tool | Description |
|---|---|
list_destinations |
All destinations (auto-paginates) |
create_destination |
Create a new destination |
get_destination_details |
Config for a specific destination |
modify_destination |
Update destination config |
delete_destination |
Destructive. Delete a destination |
run_destination_setup_tests |
Verify destination connectivity |
| Tool | Description |
|---|---|
list_groups |
All groups (auto-paginates) |
create_group |
Create a new group |
get_group_details |
Details for a specific group |
modify_group |
Update a group |
delete_group |
Destructive. Delete a group |
list_connections_in_group |
Connections in a group (auto-paginates) |
list_users_in_group |
Users in a group (auto-paginates) |
add_user_to_group |
Add a user to a group |
delete_user_from_group |
Destructive. Remove a user from a group |
get_group_ssh_public_key |
SSH public key for a group |
get_group_service_account |
Service account email for a group |
| Tool | Description |
|---|---|
list_log_services |
All external log services |
create_log_service |
Create a new log service |
get_log_service_details |
Details for a specific log service |
update_log_service |
Update a log service |
delete_log_service |
Destructive. Delete a log service |
run_log_service_setup_tests |
Test a log service |
| Tool | Description |
|---|---|
list_hybrid_deployment_agents |
All hybrid agents |
create_hybrid_deployment_agent |
Create a new agent |
get_hybrid_deployment_agent |
Details for a specific agent |
re_auth_hybrid_deployment_agent |
Regenerate agent credentials |
reset_hybrid_deployment_agent_credentials |
Reset agent credentials |
delete_hybrid_deployment_agent |
Destructive. Delete an agent |
| Tool | Description |
|---|---|
list_metadata_connectors |
All connector types with metadata |
get_metadata_connector_config |
Detailed config schema for a connector type |
list_public_connectors |
Public connector list (no auth required) |
| Tool | Description |
|---|---|
list_transformation_projects |
All transformation projects |
create_transformation_project |
Create a new project |
get_transformation_project_details |
Details for a specific project |
modify_transformation_project |
Update a project |
delete_transformation_project |
Destructive. Delete a project |
test_transformation_project |
Run project tests |
list_transformations |
All transformations |
create_transformation |
Create a new transformation |
get_transformation_details |
Details for a specific transformation |
update_transformation |
Update a transformation |
delete_transformation |
Destructive. Delete a transformation |
run_transformation |
Trigger a transformation run |
cancel_transformation |
Cancel a running transformation |
upgrade_transformation_package |
Upgrade dbt package version |
list_transformation_package_metadata |
Quickstart package metadata |
get_transformation_package_metadata_details |
Details for a quickstart package |
| Tool | Description |
|---|---|
list_webhooks |
All webhooks |
create_account_webhook |
Create an account-level webhook |
create_group_webhook |
Create a group-level webhook |
get_webhook_details |
Details for a specific webhook |
modify_webhook |
Update a webhook |
delete_webhook |
Destructive. Delete a webhook |
test_webhook |
Send a test event to a webhook |
You: Are any of my connections failing?
Claude: I'll check all connections...
[calls list_connections]
Found 1 issue:
• mysql_orders — Last failed 3 hours ago (connection timeout)
Recommendation: Check database firewall rules
You: Create a Calendly connection syncing to the marketing group
Claude: I'll check the Calendly connector config first...
[calls get_metadata_connector_config with service="calendly"]
[calls list_groups to find group_id]
[calls create_connection]
[calls modify_connection to set auth.access_token]
[calls run_connection_setup_tests]
Created connection "calendly_marketing" in the marketing destination.
Setup test: PASSED. First sync will begin within the hour.
You: Pause all production connections for database maintenance
Claude: [calls list_connections, filters by name pattern]
[calls modify_connection for each with paused=true]
Paused 4 connections:
• postgres_production
• mysql_orders
• mongodb_events
• redis_sessions
# Install dependencies
make install
# Run tests
make test
# Lint + type-check + test + coverage
make verify
# Format code
make formatTest coverage target: ≥ 85% on src/.
- Credentials are never logged
- All Fivetran API communication uses HTTPS
- Set
FIVETRAN_ALLOW_WRITES=falseto run in read-only mode (blocks all mutating tools) - Rotate the JWT secret periodically:
NEW_SECRET=$(openssl rand -base64 32) echo -n "${NEW_SECRET}" | gcloud secrets versions add fivetran-mcp-jwt-secret --data-file=- gcloud run services update fivetran-mcp-server --region ${CLOUD_RUN_REGION}
| Issue | Solution |
|---|---|
| Claude can't find tools | Check mcp_settings.json, restart Claude Code |
| 400 on every request | Verify X-Fivetran-API-Key and X-Fivetran-API-Secret headers are set |
| Connection setup test fails | Call get_metadata_connector_config to check correct field names; OAuth connectors need auth.access_token not config.api_token |
| Service unavailable | Check gcloud run services list; view logs with gcloud logging read "resource.labels.service_name=fivetran-mcp-server" --limit=20 |
| Deployment fails | Ensure billing is enabled; run gcloud auth login; check Cloud Build logs |
- Built on the Model Context Protocol by Anthropic
- Powered by the Fivetran REST API v1
- Based on the official Fivetran MCP Server by Fivetran
This is an unofficial community project and is not affiliated with or endorsed by Fivetran Inc.