Streamlining Grafana Access with Google OAuth Using kube-prometheus-stack
Amol Ovhal
As my organization grew, so need to give other teams visibility into system metrics. Recently, product managers and analysts asked for read-only access to Grafana dashboards. As a DevOps engineer, it’s my responsibility to ensure they have access while keeping things simple and secure.
Instead of manually creating users, I decided to enable Google OAuth for Grafana. This way, everyone with a company Google account can log in easily. By default, I set their access to read-only, so they get the information they need without compromising system integrity. Here’s how I set it up using kube-prometheus-stack.
Steps to Set Up Google OAuth for Grafana (kube-prometheus-stack)
Create OAuth Credentials in Google Cloud Console
First, I opened Google Cloud Console and:
Navigated to API & Services > Credentials.
Clicked Create Credentials > OAuth 2.0 Client ID.
Chose Web Application as the application type.
Added the Redirect URI based on how Grafana is exposed:
http://<grafana-url>/login/google
(If using HTTPS, I made sure to reflect that in the URL).
- Saved the Client ID and Client Secret for later use.
Update External Values File for kube-prometheus-stack
Since I use an external values file to configure the whole stack, I added the following Google OAuth section under the grafana configuration:
grafana:
grafana.ini:
auth.google:
enabled: true
client_id: <google-client-id> # Replace with the actual Client ID
client_secret: <google-client-secret> # Replace with the actual Client Secret
scopes: https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url: https://accounts.google.com/o/oauth2/auth
token_url: https://accounts.google.com/o/oauth2/token
api_url: https://www.googleapis.com/oauth2/v1/userinfo
allowed_domains: <org-domain.com> # Optional: Restrict logins to a specific domain
allow_sign_up: true # Enable automatic user sign-up
Apply the Configuration Using Helm
With the values file ready, I applied the changes using Helm:
helm upgrade kube-prometheus-stack prometheus-community/kube-prometheus-stack -f <external-values-file>.yaml
Verify the Setup
After deploying the changes, I accessed Grafana using the LoadBalancer IP or the Ingress URL. The login page now had a Sign in with Google option. I tested it by logging in with my company Google account, and everything worked perfectly.
How This Setup Makes My Life Easier
With Google OAuth enabled:
I no longer need to manually manage users—new team members can simply log in with their Google accounts.
Security is streamlined by restricting access to users with company email domains.
Read-only access is provided by default, keeping dashboards safe from accidental changes.
It’s scalable—if more teams need access, I don’t have to do anything extra.
This setup saves me time and ensures the right people have the access they need. It’s satisfying to know I’ve set things up in a way that will continue to work smoothly as the organization grows.
This simple change has made a big difference in how I manage access to Grafana. Now, I can focus on more important things, knowing that my monitoring setup is easy to use and secure for everyone who needs it.
Subscribe to my newsletter
Read articles from Amol Ovhal directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Amol Ovhal
Amol Ovhal
I'm Amol, a DevOps Engineer who enjoys automation, continuous integration, and deployment. With extensive Hands-on experience in DevOps and Cloud Computing, I am proficient in various tools and technologies related to infrastructure automation, containerization, cloud platforms, monitoring and logging, and CI/CD. My ultimate objective is to assist organisations in achieving quicker, more effective software delivery while maintaining high levels of quality and dependability.