diff --git a/deploy/azure/README.md b/deploy/azure/README.md index b7ac079ee..263c224f5 100644 --- a/deploy/azure/README.md +++ b/deploy/azure/README.md @@ -8,7 +8,7 @@ This directory contains an Azure Bicep template (`bicep/main.bicep`) and support - Azure CLI (2.55.0 or later) installed and signed in (`az login`). - Azure subscription with permissions to deploy the required resources. -- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:latest). +- MongoDB MCP server container image available in dockerhub registry (mongodb/mongodb-mcp-server:1.2.0). Version 1.2.0 has been validated for Azure AI Foundry compatibility when the aggregate, create-index, explain, and export tools are omitted (additional tools are disabled by default for security). You can reference the `latest` tag instead if you want to experiment with newer builds. ## Parameter Files @@ -19,6 +19,17 @@ Two sample parameter files are provided to help you tailor deployments: > **Tip:** Update the image reference, secrets, networking, and any other environment-specific values in the chosen parameter file before deployment. +### Managed Identity Authentication Parameters + +When using `bicep/paramsWithAuthEnabled.json`, provide tenant and app-specific values for the following parameters before deployment: + +- `authClientId`: Set to the application (client) ID of the Microsoft Entra ID app registration that represents the MongoDB MCP server API (often the managed identity or a server-side app registration). +- `authIssuerUrl`: Use the issuer URL for your tenant. Use `//v2.0`, and replace with the authentication endpoint for your cloud environment (for example, "https://login.microsoftonline.com" for global Azure), also replacing with the Directory (tenant) ID in which the app registration was created. +- `authTenantId`: The tenant ID (directory ID) of the Microsoft Entra tenant that owns the identities interacting with the MCP server. Obtain it via `az account show --query tenantId -o tsv`. +- `authAllowedClientApps` (optional): Provide an array of application (client) IDs for every client that should be allowed to request tokens for the MongoDB MCP server (for example, front-end apps, automation scripts, or integration partners). Omit this property to allow all clients without any filtering. + +For deeper guidance on Microsoft Entra authentication in Azure Container Apps, see the official docs: . + ## Deploy the Bicep Template 1. **Set common variables (PowerShell example):** @@ -54,6 +65,8 @@ Two sample parameter files are provided to help you tailor deployments: --parameters @$parameterFile ``` + If the deployment returns an error, rerun the command with `--debug` to surface detailed troubleshooting output. + 5. **Monitor outputs:** Review the deployment outputs and logs for connection endpoints, credential references, or other values needed to complete integration. ## Post-Deployment Checklist diff --git a/deploy/azure/bicep/main.bicep b/deploy/azure/bicep/main.bicep index 241b1565b..32b1e52c1 100644 --- a/deploy/azure/bicep/main.bicep +++ b/deploy/azure/bicep/main.bicep @@ -8,7 +8,7 @@ param location string = resourceGroup().location param containerAppName string = 'mongo-mcp-server-app' @description('Docker image to deploy') -param containerImage string = 'mongodb/mongodb-mcp-server:latest' +param containerImage string = 'mongodb/mongodb-mcp-server:1.2.0' @description('Container CPU (vCPU) as string. Allowed: 0.25 - 2.0 in 0.25 increments') @allowed([ diff --git a/deploy/azure/bicep/params.json b/deploy/azure/bicep/params.json index 137a4ca45..c64ad2fc0 100644 --- a/deploy/azure/bicep/params.json +++ b/deploy/azure/bicep/params.json @@ -3,8 +3,8 @@ "contentVersion": "1.0.0.0", "parameters": { "containerAppEnvName": { "value": "container-app-env" }, - "containerAppName": { "value": "mongo-mcp-server-app-without-auth" }, - "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" }, + "containerAppName": { "value": "mongo-mcp-without-auth" }, + "containerImage": { "value": "mongodb/mongodb-mcp-server:1.2.0" }, "containerCpu": { "value": "1.0" }, "containerMemory": { "value": "2Gi" }, "appEnvironmentVars": { @@ -15,10 +15,10 @@ "MDB_MCP_TRANSPORT": "http", "MDB_MCP_LOGGERS": "disk,mcp,stderr", "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp", - "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" + "MDB_MCP_DISABLED_TOOLS": "aggregate,create-index,explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" } }, - "authMode": { "value": "NOAUTH" }, - "mdbConnectionString": { "value": "" } + "mdbConnectionString": { "value": "" }, + "authMode": { "value": "NOAUTH" } } } diff --git a/deploy/azure/bicep/paramsWithAuthEnabled.json b/deploy/azure/bicep/paramsWithAuthEnabled.json index 78c0a30d0..8ab1e0d9e 100644 --- a/deploy/azure/bicep/paramsWithAuthEnabled.json +++ b/deploy/azure/bicep/paramsWithAuthEnabled.json @@ -3,8 +3,8 @@ "contentVersion": "1.0.0.0", "parameters": { "containerAppEnvName": { "value": "container-app-env" }, - "containerAppName": { "value": "mongo-mcp-server-app-with-auth" }, - "containerImage": { "value": "mongodb/mongodb-mcp-server:latest" }, + "containerAppName": { "value": "mongo-mcp-with-auth" }, + "containerImage": { "value": "mongodb/mongodb-mcp-server:1.2.0" }, "containerCpu": { "value": "1.0" }, "containerMemory": { "value": "2Gi" }, "appEnvironmentVars": { @@ -15,7 +15,7 @@ "MDB_MCP_TRANSPORT": "http", "MDB_MCP_LOGGERS": "disk,mcp,stderr", "MDB_MCP_LOG_PATH": "/tmp/mongodb-mcp", - "MDB_MCP_DISABLED_TOOLS": "explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" + "MDB_MCP_DISABLED_TOOLS": "aggregate,create-index,explain,export,atlas-create-access-list,atlas-create-db-user,drop-database,drop-collection,delete-many" } }, "mdbConnectionString": { "value": "" },