mongodb-mcp-setup

仓库: mongodb/agent-skills
安装量: 207
排名: #9534

安装

npx skills add https://github.com/mongodb/agent-skills --skill mongodb-mcp-setup
MongoDB MCP Server Setup
This skill guides users through configuring the MongoDB MCP server for use with an agentic client.
Overview
The MongoDB MCP server requires authentication. Users have three options:
Connection String
(Option A): Direct connection to a specific cluster
Quick setup for single cluster
Requires
MDB_MCP_CONNECTION_STRING
environment variable
Service Account Credentials
(Option B): MongoDB Atlas Admin API access
Recommended for Atlas users
- simplifies authentication and data access
Access to Atlas Admin API and dynamic cluster connection via
atlas-connect-cluster
No manual DB user credential management
Requires
MDB_MCP_API_CLIENT_ID
and
MDB_MCP_API_CLIENT_SECRET
environment variables
Atlas Local
(Option C): Local development with Docker
Best for local testing
- zero configuration required
Runs Atlas locally in Docker, requires Docker installed
No credentials or cloud cluster access
This is an interactive step-by-step guide. The agent detects the user's environment and provides tailored instructions, but
never asks for or handles credentials
— users add those directly to their shell profile in Step 5. Make this clear to the user whenever credentials come up in Steps 3a and 3b.
Step 1: Check Existing Configuration
Before starting the setup, check if the user already has the required environment variables configured.
Run this command to check for existing configuration (masking values to avoid exposing credentials):
env
|
grep
"^MDB_MCP"
|
sed
'/^MDB_MCP_READ_ONLY=/!s/=.*/=[set]/'
Interpretation:
If
MDB_MCP_CONNECTION_STRING
is set → connection string auth is configured
If both
MDB_MCP_API_CLIENT_ID
and
MDB_MCP_API_CLIENT_SECRET
are set → service account auth is configured. If only one is set, treat it as incomplete.
If
MDB_MCP_READ_ONLY=true
→ read-only mode is enabled
Partial Configuration Handling:
User wants to add read-only to existing setup (has auth, no
MDB_MCP_READ_ONLY
) → skip to Step 4
User wants to switch authentication methods → explain they should remove the old variables from their shell profile first, then proceed with Steps 2–5
User wants to update credentials → skip to Step 5 (profile editing instructions)
Important
If the user wants an Atlas Admin API action (managing clusters, creating users, performance advisor) but only has
MDB_MCP_CONNECTION_STRING
, explain they need service account credentials and offer to walk through setup.
Step 2: Present Configuration Options
If no valid configuration exists, present the options:
Connection String (Option A)
— Best for:
Single cluster access
Existing database credentials
Self-hosted MongoDB or no Atlas Admin API needs
Service Account Credentials (Option B)
— Best for:
MongoDB Atlas users (recommended)
Multi-cluster switching
Atlas Admin API access (cluster management, user creation, performance monitoring)
Atlas Local (Option C)
— Best for:
Local development/testing without cloud setup
Fastest setup with Docker, no credentials required
Ask the user which option they'd like to proceed with.
Step 3a: Connection String Setup
If the user chooses Option A:
3a.1: Explain How to Find the Connection String
Explain where and how to obtain their connection string:
For MongoDB Atlas:
Go to
cloud.mongodb.com
Select your cluster → click
Connect
Choose
Drivers
or
Shell
→ copy the connection string
Replace
and
with your database user credentials
For self-hosted MongoDB:
The connection string is typically configured by your DBA or in your application config
Format:
mongodb://username:password@host:port/database
Expected formats:
mongodb://username:password@host:port/database
mongodb+srv://username:password@cluster.mongodb.net/database
mongodb://host:port
(local, no auth)
Proceed to Step 4 (Determine Read-Only Access).
Step 3b: Service Account Setup
If the user chooses Option B:
3b.1: Guide Through Atlas Service Account Creation
Direct the user to create a MongoDB Atlas Service Account:
Full documentation
:
https://www.mongodb.com/docs/mcp-server/prerequisites/
Walk them through the key steps:
Navigate to MongoDB Atlas
cloud.mongodb.com
Go to Access Manager
Service Accounts
Create Service Account
Set Permissions
— Grant Organization Member or Project Owner (see docs for exact permission mappings)
Generate Credentials
— Create Client ID and Secret
⚠️ The
Client Secret is shown only once
— save it immediately before leaving the page
Note both values
— you'll need Client ID and Client Secret for Step 5
3b.2: API Access List Configuration
⚠️
CRITICAL
The user MUST add their IP address to the service account's API Access List, or all Atlas Admin API operations will fail.
Steps:
On the service account details page, find
API Access List
Click
Add Access List Entry
Add your current IP address. Use a specific IP or CIDR range whenever possible.
⚠️
0.0.0.0/0
allows access from any IP — this is a significant security risk.
Only use it as a last resort for temporary testing and remove it immediately afterward. It should never be used in production.
Save changes
This is more secure than global Network Access settings as it only affects API access, not database connections.
Proceed to Step 4 (Determine Read-Only Access).
Step 3c: Atlas Local Setup
If the user chooses Option C:
3c.1: Check Docker Installation
Verify Docker is installed:
docker
info
If not installed, direct them to:
https://www.docker.com/get-started
3c.2: Confirm Setup Complete
Atlas Local requires no credentials — the user is ready to go:
Create deployments:
atlas-local-create-deployment
List deployments:
atlas-local-list-deployments
All operations work out of the box with Docker
Skip Steps 4 and 5
(no configuration needed) and proceed to Step 6 (Next Steps).
Step 4: Determine Read-Only vs Read-Write Access
Only applies to Options A and B. Skip to Step 6 for Option C.
Ask whether they want read-only or read-write access:
Read-Write
(default): Full data access, modifications allowed
Best for: Development, testing, administrative tasks
Read-Only
Data reads only, no modifications
Best for: Production data safety, reporting, compliance
If read-only
include
export MDB_MCP_READ_ONLY="true"
in the profile snippet in Step 5.
If read-write
omit
MDB_MCP_READ_ONLY
(defaults to read-write).
Proceed to Step 5 (Update Shell Profile).
Step 5: Update Shell Profile
Help the user add the environment variables to their shell profile.
Do not ask for or handle credentials
— provide exact instructions so the user can add them directly.
5.1: Detect Shell and Profile File
If the user is on Windows, assume
PowerShell
but ask the user to confirm. For Unix/macOS, detect the shell to determine the correct profile file by running:
echo
$SHELL
Based on the result, identify the appropriate profile file using your training data. If unsure which shell or profile they are using, ask them to specify the path.
5.2: Show the Exact Snippet to Add
Tell the user to store credentials in a dedicated
~/.mcp-env
file (not directly in their shell profile). This keeps credentials out of files that are often group/world readable by default and prevents accidentally committing them to git. Make sure to adapt the path in the instructions to be in the same folder as the shell profile file.
Step 1
Create/edit ~/.mcp-env (e.g. nano ~/.mcp-env ) and add: For Connection String (Option A):

MongoDB MCP Server Configuration

export MDB_MCP_CONNECTION_STRING = "" For Service Account (Option B):

MongoDB MCP Server Configuration (Atlas Service Account)

export
MDB_MCP_API_CLIENT_ID
=
""
export
MDB_MCP_API_CLIENT_SECRET
=
""
If read-only was chosen (Step 4), also add:
export
MDB_MCP_READ_ONLY
=
"true"
Step 2
Restrict permissions on the file so only the owner can read it: chmod 600 ~/.mcp-env

adapt command for Windows if needed

Step 3
Source the file from the shell profile. Tell the user to open their profile file (e.g. code ~/.zshrc , nano ~/.zshrc ) and add this line: source ~/.mcp-env Adjust syntax for the detected shell (e.g. for fish: bass source ~/.mcp-env or set variables directly with set -x ; for PowerShell: dot-source a .ps1 file instead). 5.3: After Editing — Reload and Verify Once the user has saved the file, provide the commands to reload and verify: Reload the profile: source ~/.zshrc

adjust path to match their profile file

Verify the variables are set (masking values to avoid exposing credentials):
env
|
grep
"^MDB_MCP"
|
sed
'/^MDB_MCP_READ_ONLY=/!s/=.*/=[set]/'
Expected output should show the variable name(s) they just added, each with
=[set]
. If nothing appears, check that
source ~/.mcp-env
is in the profile file, the profile was reloaded, and
~/.mcp-env
was saved.
Proceed to Step 6 (Next Steps).
Step 6: Next Steps
For Options A & B (Connection String / Service Account):
Restart the agentic client
Fully quit the client, then in your terminal run
source
(e.g.
source ~/.zshrc
, adjust command and path based on the user shell) to load the new variables into the current shell session. Open the client from that same shell session so it inherits the environment.
Verify MCP Server
After restart, test by performing a MongoDB operation.
Using the Tools
:
Option A: Direct database access tools available
Option B: Additionally has Atlas Admin API tools and
atlas-connect-cluster
Important (Option B)
Ensure your IP is in the service account's API Access List or all API calls will fail
For Option C (Atlas Local):
Ready to use
No restart or configuration needed!
Next steps
:
Create deployments:
atlas-local-create-deployment
List deployments:
atlas-local-list-deployments
Use standard database operations once connected
Troubleshooting
Variables not appearing after
source
Check the profile file path and confirm the file was saved
Client doesn't pick up variables
Ensure full restart (quit + reopen), not just a reload
Invalid connection string format
Re-check the format; must start with
mongodb://
or
mongodb+srv://
Atlas Admin API errors (Option B)
Verify your IP is in the service account's API Access List
Read-only mode not working
Check
MDB_MCP_READ_ONLY=true
is set — run
env | grep ^MDB_MCP_READ_ONLY
fish/PowerShell
Syntax differs — use set -x (fish) or $env: (PowerShell) instead of export
返回排行榜