The CData Code Assist MCP for AlloyDB defines each connection to AlloyDB as a named configuration that an MCP Client (such as Claude Desktop) can use when sending natural language queries.

You create and manage these configurations using the CData Code Assist MCP Configuration Tool. The tool automatically handles formatting, storage, and registration with MCP clients.

Understanding Connection Configurations

Each connection configuration is stored in a .mcp file. This file includes the details needed to initialize the connector when an MCP Client starts a session.

• On Windows, configuration files are stored in "~/AppData/Roaming/CData/AlloyDB Data Provider/".
• On macOS, configuration files are stored in "~/Library/Application Support/CData/AlloyDB Data Provider/".

The .mcp file is a text file that contains a list of connection properties and a timestamp. For example:

#Tue May 20 15:48:40 EDT 2025
AuthScheme=Basic
User=myUser
Password=myPassword
Security Token=myToken

The configuration tool handles these settings automatically. Each saved configuration enables an MCP client to launch a dedicated MCP server instance with the correct connector and options. Manual file editing is not required.

Connecting to AlloyDB

To connect to AlloyDB, set these properties:

• Server: The host name or IP of the server hosting the AlloyDB database.
• Port (optional): The port of the server hosting the AlloyDB database. This property is set to 5432 by default.
• User: The user which will be used to authenticate with the AlloyDB server.
• Password: The password which will be used to authenticate with the AlloyDB server.
• Database (optional): The database to connect to when connecting to the AlloyDB Server. If this is not set, the user's default database will be used.

Authenticating to AlloyDB

AlloyDB supports authentication through the following methods:

• Standard
• pg_hba.conf
  • MD5
  • SASL
• Kerberos
• OAuthJWT

Standard Authentication

Standard authentication (using the user/password combination supplied earlier) is the default form of authentication.

No further action is required to leverage Standard Authentication to connect.

pg_hba.conf Auth Schemes

There are additional methods of authentication supported by the server which must be enabled in the pg_hba.conf file on the AlloyDB server.

You can find instructions about authentication setup on the AlloyDB Server here.

MD5

You can authenticate using MD5 password verification by setting the auth-method in the pg_hba.conf file to md5.

SASL

The server can authenticate by verifying the password with SASL (particularly, SCRAM-SHA-256).

To use this authentication method, set the auth-method in the pg_hba.conf file to scram-sha-256.

Kerberos

The authentication with Kerberos is initiated by AlloyDB Server when the CData Code Assist MCP for AlloyDB is trying to connect to it. Set up Kerberos on the AlloyDB Server to activate this authentication method. Once you have Kerberos authentication set up on the AlloyDB server, see Using Kerberos for details regarding how to authenticate with Kerberos by the server.

OAuthJWT

This authentication method allows a Google Cloud service account to authenticate with AlloyDB using a JSON key file.

Prerequisite

Before configuring this authentication method, ensure that you have a Google Cloud service account. You must also generate and download a new key file (JSON-formatted) for that service account.

To obtain this file in the Google Cloud console:

1. Go to IAM & Admin > Service accounts. If you do not have an account already, you must create one (see detailed instructions here.)
2. Click on the email address of your service account (for example, [email protected]).
3. Go to the Keys tab.
4. Select Add Key > Create new key.
5. Select JSON as the key type. Then, click Create.

Note: Once the file for the key is downloaded, it cannot be redownloaded due to security reasons. However, you can generate additional keys as needed.

Authenticate to AlloyDB with OAuthJWT

1. Using IAM administrator tools (IAM & Admin > IAM), grant the new or existing service account the alloydb.databaseUser and serviceusage.serviceUsageConsumer roles.
2. Add that service account to a cluster (see detailed instructions here.)
3. Set the required connection properties:
   • AuthScheme: OAuthJWT.
   • OAuthJWTCertType: GOOGLEJSON.
   • OAuthJWTCert: The path to the service account key file you downloaded (for example, C:\keys\my-gcp-project-service-account.json).
   • User: The service account's address without the .gserviceaccount.com suffix (for example, [email protected]).