Skip to content
Latchkey

Atlas "IP address is not whitelisted" / connection not allowed from CI IP

Atlas rejected the connection because the runner egress IP is not in the project Network Access list. Atlas denies all traffic by default; CI runners use dynamic IPs that were never allowlisted.

What this error means

Server selection fails and the driver reports the connection is not allowed from your IP, or logs show the handshake closed by Atlas. It works from a developer machine whose IP is allowlisted.

node
MongoServerSelectionError: connection <monitor> to 34.x.x.x:27017 closed
Reason: connection ... is not allowed from your current IP address

Common causes

The runner IP is not in Network Access

GitHub-hosted runners use rotating egress IPs, so the exact address is never in the Atlas allowlist and Atlas blocks it.

A prior temporary allowlist entry expired

A time-boxed access entry from an earlier run has expired, so the next run is blocked again.

How to fix it

Allow CI traffic in Network Access

  1. For a controlled internal project, add the CI egress CIDR to Atlas Network Access.
  2. For GitHub-hosted runners with dynamic IPs, either use a self-hosted runner with a fixed IP or add access at run time via the Atlas API.
  3. Avoid a permanent 0.0.0.0/0 on production data; scope it or make it temporary.
Terminal
# temporary CI access via the Atlas Admin API (removed after the job)
IP=$(curl -s https://checkip.amazonaws.com)
curl -s -u "$ATLAS_PUBLIC_KEY:$ATLAS_PRIVATE_KEY" --digest \
  -X POST "https://cloud.mongodb.com/api/atlas/v2/groups/$ATLAS_PROJECT_ID/accessList" \
  -H 'Content-Type: application/json' \
  -d "[{\"ipAddress\":\"$IP\",\"comment\":\"ci temp\"}]"

Add and later remove the entry with the Atlas CLI

Use the Atlas CLI to add the current runner IP before tests and delete it afterward so the allowlist stays clean.

Terminal
atlas accessLists create "$(curl -s https://checkip.amazonaws.com)" --comment "ci temp"
# after tests
atlas accessLists delete "$(curl -s https://checkip.amazonaws.com)" --force

How to prevent it

  • Manage CI access via the Atlas API/CLI so entries are temporary and scoped.
  • Prefer self-hosted runners with a stable egress IP for a fixed allowlist entry.
  • Reserve 0.0.0.0/0 for throwaway test projects, never production data.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →