From 89d2d5aec090aaca498660ec37c18ee306cea310 Mon Sep 17 00:00:00 2001 From: Himanshu Singh Date: Thu, 11 Sep 2025 14:47:36 +0200 Subject: [PATCH 1/4] chore: update readme following sec recommendations This commit ensures that our examples promote use of environment variables for providing sensitive configuration options. Additionally we callout, whereever necessary, our recommendation of choosing env variables over command line arguments for the same. --- README.md | 134 +++++++++++++++++++++++++++++------------------------- 1 file changed, 72 insertions(+), 62 deletions(-) diff --git a/README.md b/README.md index d508b755d..3237b9bf7 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,9 @@ node -v ### Quick Start -**Note:** When using Atlas API credentials, be sure to assign only the minimum required permissions to your service account. See [Atlas API Permissions](#atlas-api-permissions) for details. +> **🔒 Security Recommendation 1:** When using Atlas API credentials, be sure to assign only the minimum required permissions to your service account. See [Atlas API Permissions](#atlas-api-permissions) for details. + +> **🔒 Security Recommendation 2:** For enhanced security, we strongly recommend using environment variables to pass sensitive configuration such as connection strings and API credentials instead of command line arguments. Command line arguments can be visible in process lists and logged in various system locations, potentially exposing your secrets. Environment variables provide a more secure way to handle sensitive information. Most MCP clients require a configuration file to be created or modified to add the MCP server. @@ -60,22 +62,19 @@ Note: The configuration file syntax can be different across clients. Please refe > **Default Safety Notice:** All examples below include `--readOnly` by default to ensure safe, read-only access to your data. Remove `--readOnly` if you need to enable write operations. -#### Option 1: Connection String args +#### Option 1: Connection String -You can pass your connection string via args, make sure to use a valid username and password. +You can pass your connection string via environment variables, make sure to use a valid username and password. ```json { "mcpServers": { "MongoDB": { "command": "npx", - "args": [ - "-y", - "mongodb-mcp-server", - "--connectionString", - "mongodb://localhost:27017/myDatabase", - "--readOnly" - ] + "args": ["-y", "mongodb-mcp-server@latest", "--readOnly"], + "env": { + "MDB_MCP_CONNECTION_STRING": "mongodb://localhost:27017/myDatabase" + } } } } @@ -83,7 +82,7 @@ You can pass your connection string via args, make sure to use a valid username NOTE: The connection string can be configured to connect to any MongoDB cluster, whether it's a local instance or an Atlas cluster. -#### Option 2: Atlas API credentials args +#### Option 2: Atlas API Credentials Use your Atlas API Service Accounts credentials. Must follow all the steps in [Atlas API Access](#atlas-api-access) section. @@ -92,43 +91,35 @@ Use your Atlas API Service Accounts credentials. Must follow all the steps in [A "mcpServers": { "MongoDB": { "command": "npx", - "args": [ - "-y", - "mongodb-mcp-server", - "--apiClientId", - "your-atlas-service-accounts-client-id", - "--apiClientSecret", - "your-atlas-service-accounts-client-secret", - "--readOnly" - ] + "args": ["-y", "mongodb-mcp-server@latest", "--readOnly"], + "env": { + "MDB_MCP_API_CLIENT_ID": "your-atlas-service-accounts-client-id", + "MDB_MCP_API_CLIENT_SECRET": "your-atlas-service-accounts-client-secret" + } } } } ``` -#### Option 3: Standalone Service using command arguments +#### Option 3: Standalone Service using environment variables and command line arguments -Start Server using npx command: +You can source environment variables defined in a config file or explicitly set them like we do in the example below and run the server via npx. ```shell - npx -y mongodb-mcp-server@latest --apiClientId="your-atlas-service-accounts-client-id" --apiClientSecret="your-atlas-service-accounts-client-secret" --readOnly -``` - -- For a complete list of arguments see [Configuration Options](#configuration-options) -- To configure your Atlas Service Accounts credentials please refer to [Atlas API Access](#atlas-api-access) - -#### Option 4: Standalone Service using environment variables +# Set your credentials as environment variables first +export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" +export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" -```shell - npx -y mongodb-mcp-server@latest --readOnly +# Then start the server +npx -y mongodb-mcp-server@latest --readOnly ``` -You can use environment variables in the config file or set them and run the server via npx. - +- For a complete list of configuration options see [Configuration Options](#configuration-options) +- To configure your Atlas Service Accounts credentials please refer to [Atlas API Access](#atlas-api-access) - Connection String via environment variables in the MCP file [example](#connection-string-with-environment-variables) - Atlas API credentials via environment variables in the MCP file [example](#atlas-api-credentials-with-environment-variables) -#### Option 5: Using Docker +#### Option 4: Using Docker You can run the MongoDB MCP Server in a Docker container, which provides isolation and doesn't require a local Node.js installation. @@ -146,8 +137,12 @@ docker run --rm -i \ ##### Option B: With MongoDB connection string ```shell +# Set your credentials as environment variables first +export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:password@cluster.mongodb.net/myDatabase" + +# Then start the docker container docker run --rm -i \ - -e MDB_MCP_CONNECTION_STRING="mongodb+srv://username:password@cluster.mongodb.net/myDatabase" \ + -e MDB_MCP_CONNECTION_STRING \ -e MDB_MCP_READ_ONLY="true" \ mongodb/mongodb-mcp-server:latest ``` @@ -155,9 +150,14 @@ docker run --rm -i \ ##### Option C: With Atlas API credentials ```shell +# Set your credentials as environment variables first +export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" +export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" + +# Then start the docker container docker run --rm -i \ - -e MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" \ - -e MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" \ + -e MDB_MCP_API_CLIENT_ID \ + -e MDB_MCP_API_CLIENT_SECRET \ -e MDB_MCP_READ_ONLY="true" \ mongodb/mongodb-mcp-server:latest ``` @@ -196,11 +196,14 @@ With connection string: "--rm", "-i", "-e", - "MDB_MCP_CONNECTION_STRING=mongodb+srv://username:password@cluster.mongodb.net/myDatabase", + "MDB_MCP_CONNECTION_STRING", "-e", "MDB_MCP_READ_ONLY=true", "mongodb/mongodb-mcp-server:latest" - ] + ], + "env": { + "MDB_MCP_CONNECTION_STRING": "mongodb+srv://username:password@cluster.mongodb.net/myDatabase" + } } } } @@ -220,17 +223,21 @@ With Atlas API credentials: "-e", "MDB_MCP_READ_ONLY=true", "-e", - "MDB_MCP_API_CLIENT_ID=your-atlas-service-accounts-client-id", + "MDB_MCP_API_CLIENT_ID", "-e", - "MDB_MCP_API_CLIENT_SECRET=your-atlas-service-accounts-client-secret", + "MDB_MCP_API_CLIENT_SECRET", "mongodb/mongodb-mcp-server:latest" - ] + ], + "env": { + "MDB_MCP_API_CLIENT_ID": "your-atlas-service-accounts-client-id", + "MDB_MCP_API_CLIENT_SECRET": "your-atlas-service-accounts-client-secret" + } } } } ``` -#### Option 6: Running as an HTTP Server +#### Option 5: Running as an HTTP Server > **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.** @@ -316,6 +323,8 @@ NOTE: atlas tools are only available when you set credentials on [configuration] ## Configuration +> **🔒 Security Best Practice:** We strongly recommend using environment variables for sensitive configuration such as API credentials (`MDB_MCP_API_CLIENT_ID`, `MDB_MCP_API_CLIENT_SECRET`) and connection strings (`MDB_MCP_CONNECTION_STRING`) instead of command-line arguments. Environment variables are not visible in process lists and provide better security for your sensitive data. + The MongoDB MCP Server can be configured using multiple methods, with the following precedence (highest to lowest): 1. Command-line arguments @@ -551,47 +560,48 @@ export MDB_MCP_LOG_PATH="/path/to/logs" Pass configuration options as command-line arguments when starting the server: +> **🔒 Security Note:** For sensitive configuration like API credentials and connection strings, use environment variables instead of command-line arguments. + ```shell -npx -y mongodb-mcp-server@latest --apiClientId="your-atlas-service-accounts-client-id" --apiClientSecret="your-atlas-service-accounts-client-secret" --connectionString="mongodb+srv://username:password@cluster.mongodb.net/myDatabase" --logPath=/path/to/logs --readOnly --indexCheck +# Set sensistive data as environment variable +export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" +export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" +export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:password@cluster.mongodb.net/myDatabase" + +# Start the server with command line arguments +npx -y mongodb-mcp-server@latest --logPath=/path/to/logs --readOnly --indexCheck ``` #### MCP configuration file examples -##### Connection String with command-line arguments +##### Connection String with environment variables ```json { "mcpServers": { "MongoDB": { "command": "npx", - "args": [ - "-y", - "mongodb-mcp-server", - "--connectionString", - "mongodb+srv://username:password@cluster.mongodb.net/myDatabase", - "--readOnly" - ] + "args": ["-y", "mongodb-mcp-server", "--readOnly"], + "env": { + "MDB_MCP_CONNECTION_STRING": "mongodb+srv://username:password@cluster.mongodb.net/myDatabase" + } } } } ``` -##### Atlas API credentials with command-line arguments +##### Atlas API credentials with environment variables ```json { "mcpServers": { "MongoDB": { "command": "npx", - "args": [ - "-y", - "mongodb-mcp-server", - "--apiClientId", - "your-atlas-service-accounts-client-id", - "--apiClientSecret", - "your-atlas-service-accounts-client-secret", - "--readOnly" - ] + "args": ["-y", "mongodb-mcp-server", "--readOnly"], + "env": { + "MDB_MCP_API_CLIENT_ID": "your-atlas-service-accounts-client-id", + "MDB_MCP_API_CLIENT_SECRET": "your-atlas-service-accounts-client-secret" + } } } } From 15a2f622eeeda95fd98c0af882f8a9e68e7c0867 Mon Sep 17 00:00:00 2001 From: Himanshu Singh Date: Thu, 11 Sep 2025 14:52:23 +0200 Subject: [PATCH 2/4] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3237b9bf7..bd338a61b 100644 --- a/README.md +++ b/README.md @@ -563,7 +563,7 @@ Pass configuration options as command-line arguments when starting the server: > **🔒 Security Note:** For sensitive configuration like API credentials and connection strings, use environment variables instead of command-line arguments. ```shell -# Set sensistive data as environment variable +# Set sensitive data as environment variable export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:password@cluster.mongodb.net/myDatabase" From 39653496bb97f1ee2186206fbafce34118d52b05 Mon Sep 17 00:00:00 2001 From: Himanshu Singh Date: Thu, 11 Sep 2025 15:02:55 +0200 Subject: [PATCH 3/4] chore: minor fixup --- README.md | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index bd338a61b..23c71c412 100644 --- a/README.md +++ b/README.md @@ -574,34 +574,45 @@ npx -y mongodb-mcp-server@latest --logPath=/path/to/logs --readOnly --indexCheck #### MCP configuration file examples -##### Connection String with environment variables +##### Connection String with command-line arguments + +> **🔒 Security Note:** We do not recommend passing connection string as command line argument. Connection string might contain credentials which can be visible in process lists and logged in various system locations, potentially exposing your credentials. Instead configure [connection string through environment variables](#connection-string-with-environment-variables) ```json { "mcpServers": { "MongoDB": { "command": "npx", - "args": ["-y", "mongodb-mcp-server", "--readOnly"], - "env": { - "MDB_MCP_CONNECTION_STRING": "mongodb+srv://username:password@cluster.mongodb.net/myDatabase" - } + "args": [ + "-y", + "mongodb-mcp-server", + "--connectionString", + "mongodb+srv://username:password@cluster.mongodb.net/myDatabase", + "--readOnly" + ] } } } ``` -##### Atlas API credentials with environment variables +##### Atlas API credentials with command-line arguments + +> **🔒 Security Note:** We do not recommend passing Atlas API credentials as command line argument. The provided credentials can be visible in process lists and logged in various system locations, potentially exposing your credentials. Instead configure [Atlas API credentials through environment variables](#atlas-api-credentials-with-environment-variables) ```json { "mcpServers": { "MongoDB": { "command": "npx", - "args": ["-y", "mongodb-mcp-server", "--readOnly"], - "env": { - "MDB_MCP_API_CLIENT_ID": "your-atlas-service-accounts-client-id", - "MDB_MCP_API_CLIENT_SECRET": "your-atlas-service-accounts-client-secret" - } + "args": [ + "-y", + "mongodb-mcp-server", + "--apiClientId", + "your-atlas-service-accounts-client-id", + "--apiClientSecret", + "your-atlas-service-accounts-client-secret", + "--readOnly" + ] } } } From 86cfd038d379da6aede90f91c91e0085466a896b Mon Sep 17 00:00:00 2001 From: Himanshu Singh Date: Thu, 11 Sep 2025 17:12:27 +0200 Subject: [PATCH 4/4] chore: add examples for cmd and pwsh --- README.md | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 23c71c412..77617e389 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,8 @@ export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" npx -y mongodb-mcp-server@latest --readOnly ``` +> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + - For a complete list of configuration options see [Configuration Options](#configuration-options) - To configure your Atlas Service Accounts credentials please refer to [Atlas API Access](#atlas-api-access) - Connection String via environment variables in the MCP file [example](#connection-string-with-environment-variables) @@ -147,6 +149,8 @@ docker run --rm -i \ mongodb/mongodb-mcp-server:latest ``` +> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + ##### Option C: With Atlas API credentials ```shell @@ -162,6 +166,8 @@ docker run --rm -i \ mongodb/mongodb-mcp-server:latest ``` +> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + ##### Docker in MCP Configuration File Without options: @@ -370,6 +376,8 @@ You can combine multiple loggers, e.g. `--loggers disk stderr` or `export MDB_MC export MDB_MCP_LOGGERS="disk,stderr" ``` +> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + ##### Example: Set logger via command-line argument ```shell @@ -420,6 +428,8 @@ You can enable read-only mode using: - **Environment variable**: `export MDB_MCP_READ_ONLY=true` - **Command-line argument**: `--readOnly` +> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + When read-only mode is active, you'll see a message in the server logs indicating which tools were prevented from registering due to this restriction. #### Index Check Mode @@ -433,6 +443,8 @@ You can enable index check mode using: - **Environment variable**: `export MDB_MCP_INDEX_CHECK=true` - **Command-line argument**: `--indexCheck` +> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + When index check mode is active, you'll see an error message if a query is rejected due to not using an index. #### Exports @@ -456,6 +468,8 @@ You can disable telemetry using: - **Command-line argument**: `--telemetry disabled` - **DO_NOT_TRACK environment variable**: `export DO_NOT_TRACK=1` +> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + ### Atlas API Access To use the Atlas API tools, you'll need to create a service account in MongoDB Atlas: @@ -509,7 +523,9 @@ For a full list of roles and their privileges, see the [Atlas User Roles documen Set environment variables with the prefix `MDB_MCP_` followed by the option name in uppercase with underscores: -```shell +**Linux/macOS (bash/zsh):** + +```bash # Set Atlas API credentials (via Service Accounts) export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" @@ -517,8 +533,33 @@ export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" # Set a custom MongoDB connection string export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:password@cluster.mongodb.net/myDatabase" +# Set log path export MDB_MCP_LOG_PATH="/path/to/logs" +``` + +**Windows Command Prompt (cmd):** +```cmd +set "MDB_MCP_API_CLIENT_ID=your-atlas-service-accounts-client-id" +set "MDB_MCP_API_CLIENT_SECRET=your-atlas-service-accounts-client-secret" + +set "MDB_MCP_CONNECTION_STRING=mongodb+srv://username:password@cluster.mongodb.net/myDatabase" + +set "MDB_MCP_LOG_PATH=C:\path\to\logs" +``` + +**Windows PowerShell:** + +```powershell +# Set Atlas API credentials (via Service Accounts) +$env:MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" +$env:MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" + +# Set a custom MongoDB connection string +$env:MDB_MCP_CONNECTION_STRING="mongodb+srv://username:password@cluster.mongodb.net/myDatabase" + +# Set log path +$env:MDB_MCP_LOG_PATH="C:\path\to\logs" ``` #### MCP configuration file examples @@ -572,6 +613,8 @@ export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:password@cluster.mongod npx -y mongodb-mcp-server@latest --logPath=/path/to/logs --readOnly --indexCheck ``` +> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions. + #### MCP configuration file examples ##### Connection String with command-line arguments