mongodb-js/mongodb-mcp-server

[Bug]: Atlas API Permission Issue

Closed this issue · 2 comments

Ilya-g-png commented

Version

1848414

App

  • Cursor
  • Windsurf
  • VSCode
  • VSCode Insiders
  • Claude Desktop
  • Other

Affected Models (if applicable)

  • Claude 3.5 Sonnet
  • Claude 3.7 Sonnet
  • GPT-4a
  • o4-mini
  • Other

Bug Description

MongoDB MCP Server - Atlas API Permission Issue

Bug Summary

The MongoDB MCP server fails to connect to Atlas clusters and read data when using Atlas API with "read-only" permissions, requiring full "Project Owner" permissions to function properly. This contradicts the expected behavior for read-only operations.

Environment

  • MCP Server: mongodb-mcp-server (latest via npx)
  • MongoDB Atlas: Cluster on Atlas (M50 tier)
  • MCP Configuration: Using Atlas API credentials with --readOnly flag
  • Connection Method: Atlas API (not direct connection string)

Expected Behavior

The MCP server should be able to:

  1. Connect to Atlas clusters
  2. List databases
  3. List collections
  4. Read data from collections

When configured with minimal read permissions such as:

  • Project Read Only
  • Project Data Access Read Only

Actual Behavior

The MCP server fails with authentication errors when using read-only permissions and only works with full Project Owner permissions.

Detailed Test Results

Working Configuration (Project Owner)

{
  "mcpServers": {
    "MongoDB": {
      "command": "npx",
      "args": [
        "-y", "mongodb-mcp-server",
        "--apiClientId", "mdb_sa_id_xxx",
        "--apiClientSecret", "mdb_sa_sk_xxx",
        "--readOnly"
      ]
    }
  }
}

Permissions: Project Owner
Result: All operations work (connect, list databases, list collections)

❌ Failing Configurations

Configuration 1: Minimal Read Permissions

Permissions:

  • Project Read Only
  • Project Data Access Read Only

Result:

  • atlas-list-clusters works
  • atlas-connect-cluster fails with 401 Unauthorized

Configuration 2: Extended Read Permissions

Permissions:

  • Project Read Only
  • Project Data Access Read Only
  • Project Observability Viewer
  • Project Cluster Manager

Result: Same as Configuration 1

Configuration 3: Admin Permissions (Without Owner)

Permissions:

  • Project Data Access Admin
  • Project Cluster Manager
  • Project Database Access Admin
  • Project Data Access Read Only
  • Project Observability Viewer
  • Project Read Only

Result:

  • atlas-connect-cluster works
  • list-databases fails with "Authentication failed"
  • list-collections works for specific databases

Error Messages

Connection Error (Insufficient Permissions)

Unable to authenticate with MongoDB Atlas, API error: [401 Unauthorized] 
error calling Atlas API: Unauthorized; Current user is not authorized to perform this action.

Database Listing Error (Even with Data Access Admin)

Error running list-databases: Authentication failed.

Analysis

  1. Atlas API metadata operations (list-clusters, list-users, etc.) work with basic read permissions
  2. Atlas cluster connection requires Project Data Access Admin (not just Read Only)
  3. Database listing fails even with Project Data Access Admin
  4. Collection listing works when database name is specified
  5. Only Project Owner enables full functionality

Impact

  • Users cannot use least-privilege access principles
  • Requires unnecessarily broad permissions for read-only operations
  • Security concern for production environments
  • Contradicts MongoDB Atlas best practices for API access

Reproduction Steps

  1. Create Atlas API key with Project Read Only + Project Data Access Read Only permissions
  2. Configure MCP server with --readOnly flag
  3. Attempt to connect and list data
  4. Observe authentication failures
  5. Upgrade to Project Owner permissions
  6. Observe that everything works

Additional Context

This issue was discovered during systematic permission testing where we incrementally tested different Atlas API permission combinations to find the minimum required access level.

github-actions commented

Thanks for opening this issue. The ticket MCP-74 was created for internal tracking.

fmenezes commented

Hi @Ilya-g-png,

thanks for your issue, unfortunately there is no Single Sign On between Atlas Control Plane and MongoDB Data Plane, which means the code to actually connect to an Atlas Cluster creates a new temporary user on the database to connect to it (reference in code).

Hence to connect to atlas clusters you need a minimum of Project Database Access Admin currently.

I hope this helps.

  • 👍1