Streamlining Grafana Access with Google OAuth Using kube-prometheus-stack

Streamlining Grafana Access with Google OAuth Using kube-prometheus-stack

As my organization grew, so need to give other teams visibility into system metrics. Recently, product managers and analysts asked for read-only access to Grafana dashboards. As a DevOps engineer, it’s my responsibility to ensure they have access while keeping things simple and secure.

Instead of manually creating users, I decided to enable Google OAuth for Grafana. This way, everyone with a company Google account can log in easily. By default, I set their access to read-only, so they get the information they need without compromising system integrity. Here’s how I set it up using kube-prometheus-stack.


Steps to Set Up Google OAuth for Grafana (kube-prometheus-stack)

  1. Create OAuth Credentials in Google Cloud Console

First, I opened Google Cloud Console and:

  • Navigated to API & Services > Credentials.

  • Clicked Create Credentials > OAuth 2.0 Client ID.

  • Chose Web Application as the application type.

  • Added the Redirect URI based on how Grafana is exposed:

http://<grafana-url>/login/google

(If using HTTPS, I made sure to reflect that in the URL).

  • Saved the Client ID and Client Secret for later use.

  1. Update External Values File for kube-prometheus-stack

Since I use an external values file to configure the whole stack, I added the following Google OAuth section under the grafana configuration:

grafana:
  grafana.ini:
    auth.google:
      enabled: true
      client_id: <google-client-id>         # Replace with the actual Client ID
      client_secret: <google-client-secret> # Replace with the actual Client Secret
      scopes: https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
      auth_url: https://accounts.google.com/o/oauth2/auth
      token_url: https://accounts.google.com/o/oauth2/token
      api_url: https://www.googleapis.com/oauth2/v1/userinfo
      allowed_domains: <org-domain.com>         # Optional: Restrict logins to a specific domain
      allow_sign_up: true                        # Enable automatic user sign-up

  1. Apply the Configuration Using Helm

With the values file ready, I applied the changes using Helm:

helm upgrade kube-prometheus-stack prometheus-community/kube-prometheus-stack -f <external-values-file>.yaml

  1. Verify the Setup

After deploying the changes, I accessed Grafana using the LoadBalancer IP or the Ingress URL. The login page now had a Sign in with Google option. I tested it by logging in with my company Google account, and everything worked perfectly.


How This Setup Makes My Life Easier

With Google OAuth enabled:

  • I no longer need to manually manage users—new team members can simply log in with their Google accounts.

  • Security is streamlined by restricting access to users with company email domains.

  • Read-only access is provided by default, keeping dashboards safe from accidental changes.

  • It’s scalable—if more teams need access, I don’t have to do anything extra.

This setup saves me time and ensures the right people have the access they need. It’s satisfying to know I’ve set things up in a way that will continue to work smoothly as the organization grows.


This simple change has made a big difference in how I manage access to Grafana. Now, I can focus on more important things, knowing that my monitoring setup is easy to use and secure for everyone who needs it.