As my organization grew, so need to give other teams visibility into system metrics. Recently, product managers and analysts asked for read-only access to Grafana dashboards. As a DevOps engineer, it’s my responsibility to ensure they have access while keeping things simple and secure.
Instead of manually creating users, I decided to enable Google OAuth for Grafana. This way, everyone with a company Google account can log in easily. By default, I set their access to read-only, so they get the information they need without compromising system integrity. Here’s how I set it up using kube-prometheus-stack.
Steps to Set Up Google OAuth for Grafana (kube-prometheus-stack)
Create OAuth Credentials in Google Cloud Console
First, I opened Google Cloud Console and:
Navigated to API & Services > Credentials.
Clicked Create Credentials > OAuth 2.0 Client ID.
Chose Web Application as the application type.
Added the Redirect URI based on how Grafana is exposed:
http://<grafana-url>/login/google
(If using HTTPS, I made sure to reflect that in the URL).
- Saved the Client ID and Client Secret for later use.
Update External Values File for kube-prometheus-stack
Since I use an external values file to configure the whole stack, I added the following Google OAuth section under the grafana configuration:
grafana:
grafana.ini:
auth.google:
enabled: true
client_id: <google-client-id> # Replace with the actual Client ID
client_secret: <google-client-secret> # Replace with the actual Client Secret
scopes: https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url: https://accounts.google.com/o/oauth2/auth
token_url: https://accounts.google.com/o/oauth2/token
api_url: https://www.googleapis.com/oauth2/v1/userinfo
allowed_domains: <org-domain.com> # Optional: Restrict logins to a specific domain
allow_sign_up: true # Enable automatic user sign-up
Apply the Configuration Using Helm
With the values file ready, I applied the changes using Helm:
helm upgrade kube-prometheus-stack prometheus-community/kube-prometheus-stack -f <external-values-file>.yaml
Verify the Setup
After deploying the changes, I accessed Grafana using the LoadBalancer IP or the Ingress URL. The login page now had a Sign in with Google option. I tested it by logging in with my company Google account, and everything worked perfectly.
How This Setup Makes My Life Easier
With Google OAuth enabled:
I no longer need to manually manage users—new team members can simply log in with their Google accounts.
Security is streamlined by restricting access to users with company email domains.
Read-only access is provided by default, keeping dashboards safe from accidental changes.
It’s scalable—if more teams need access, I don’t have to do anything extra.
This setup saves me time and ensures the right people have the access they need. It’s satisfying to know I’ve set things up in a way that will continue to work smoothly as the organization grows.
This simple change has made a big difference in how I manage access to Grafana. Now, I can focus on more important things, knowing that my monitoring setup is easy to use and secure for everyone who needs it.