The MCP Server can run Atlas tools that perform various Atlas operations. To run the Atlas tools, your Atlas cluster requires a service account with the appropriate permissions. For a list of the tools, see MongoDB MCP Server Tools.
About this Task
Select the permissions to run the MCP Server Atlas tools and create a service account with those permissions.
Before you Begin
Select the minimum permissions for the service account.
Note
Granting the Organization Owner role is rarely necessary and can be a security risk.
The following table shows the operations you can perform with the MCP Server and the required roles for those operations:
Operation | Safest Role to Assign | Level |
|---|---|---|
List organizations and projects |
| Organization |
Create new projects |
| Organization |
View clusters and databases in a project |
| Project |
Create and manage clusters in a project |
| Project |
Manage project access lists |
| Project |
Manage database users |
| Project |
You should typically use Project level roles for most operations, and assign those roles to the specific projects you need to manage or view. Avoid Organization Owner unless you require full administrative control over all projects and settings in the organization. Write down the permissions you want to use. You'll use them in the next section.
For a full list of roles and privileges, see Atlas User Roles.
Note
The MCP Server doesn't disable or hide tools based on the service account permissions. If the service account doesn't have the permission to access a tool, trying to run the tool may result in an error.
Steps
To create an Atlas service account and allow access to your cluster, perform these steps:
Create Atlas service account
Log in to Atlas at cloud.mongodb.com.
To access your organization, navigate to Access Manager > Organization Access. The instructions assume you have an organization already created.
Click Add new > Application > Service Account.
Enter a name, description, and set an expiration period.
Select the appropriate permissions you selected in the previous section.
Click Create.
Note
The Atlas user interface is subject to change and the steps may vary.
Save client credentials
After you create your Atlas service account, you'll see a client ID and client secret. Copy and save the client secret because it won't be displayed again.
You'll use the client ID and client secret to set the apiClientId and apiClientSecret in the Connecting with Atlas API Credentials section later.
Add access list entry
To allow the MCP Server to connect to your Atlas cluster, add an access list entry for the IP address of the computer on which the MCP Server runs. If you run the MCP Server on your local machine, add your local IP address.
Navigate to Network Access.
Click Add IP Address.
Enter your IP address.
Next Steps
After you create the service account, you can configure the MCP Server to use the Atlas API credentials. For details, see Connecting with Atlas API Credentials.