Atlas "IP address is not whitelisted" / connection not allowed from CI IP
Atlas rejected the connection because the runner egress IP is not in the project Network Access list. Atlas denies all traffic by default; CI runners use dynamic IPs that were never allowlisted.
What this error means
Server selection fails and the driver reports the connection is not allowed from your IP, or logs show the handshake closed by Atlas. It works from a developer machine whose IP is allowlisted.
MongoServerSelectionError: connection <monitor> to 34.x.x.x:27017 closed
Reason: connection ... is not allowed from your current IP addressCommon causes
The runner IP is not in Network Access
GitHub-hosted runners use rotating egress IPs, so the exact address is never in the Atlas allowlist and Atlas blocks it.
A prior temporary allowlist entry expired
A time-boxed access entry from an earlier run has expired, so the next run is blocked again.
How to fix it
Allow CI traffic in Network Access
- For a controlled internal project, add the CI egress CIDR to Atlas Network Access.
- For GitHub-hosted runners with dynamic IPs, either use a self-hosted runner with a fixed IP or add access at run time via the Atlas API.
- Avoid a permanent 0.0.0.0/0 on production data; scope it or make it temporary.
# temporary CI access via the Atlas Admin API (removed after the job)
IP=$(curl -s https://checkip.amazonaws.com)
curl -s -u "$ATLAS_PUBLIC_KEY:$ATLAS_PRIVATE_KEY" --digest \
-X POST "https://cloud.mongodb.com/api/atlas/v2/groups/$ATLAS_PROJECT_ID/accessList" \
-H 'Content-Type: application/json' \
-d "[{\"ipAddress\":\"$IP\",\"comment\":\"ci temp\"}]"Add and later remove the entry with the Atlas CLI
Use the Atlas CLI to add the current runner IP before tests and delete it afterward so the allowlist stays clean.
atlas accessLists create "$(curl -s https://checkip.amazonaws.com)" --comment "ci temp"
# after tests
atlas accessLists delete "$(curl -s https://checkip.amazonaws.com)" --forceHow to prevent it
- Manage CI access via the Atlas API/CLI so entries are temporary and scoped.
- Prefer self-hosted runners with a stable egress IP for a fixed allowlist entry.
- Reserve 0.0.0.0/0 for throwaway test projects, never production data.