This post documents a real-world case of enabling Google OIDC-based login for Grafana.
It is written based on an environment where Grafana is managed via the official Helm chart using Terraform.
This guide may be helpful if you're looking to integrate a centralized authentication system into internal tools using OIDC.
For better understanding, check out this post first:
Why we introduced OIDC
All members in our organization are issued Google Workspace accounts. As we adopted several internal tools—Grafana, Argo CD, Vault, Jenkins, and others—user access management became increasingly important.
Managing separate user accounts for each tool was not only cumbersome but also introduced security concerns. To unify authentication across all services, we adopted Google OIDC as a centralized login mechanism.
This allowed us to simplify user management and establish a consistent authentication flow across the system.
Setup Process
Refer to the Grafana documentation:
Configure Google OAuth authentication | Grafana docs
1. Register OAuth Client in Google Cloud Console
This process could potentially be replaced with the Terraform resource google_iam_oauth_client in the future:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client
I plan to refactor accordingly.
- Go to Google Cloud Console
- Select your project
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Choose Web application as the application type
- Select Web application as the Application type
- Set a name
- Add your Grafana origin in Authorized JavaScript origins
-
Set the redirect URI as defined in the official documentation:
https://<your-grafana-domain>/login/google Once created, securely store the
client_idandclient_secret(e.g., Vault, AWS Secrets Manager)
Configure grafana.ini via Helm and Terraform
We configured the grafana.ini values through Terraform like this:
// modules/grafana/main.tf
resource "helm_release" "default" {
...
chart = "grafana"
repository = "https://grafana.github.io/helm-charts"
values = [
file("${path.module}/values.yaml"),
jsonencode({
...
"grafana.ini" = merge({
...
}, var.grafana_ini)
env = var.grafana_env
})
]
}
// grafana.tf
module "grafana" {
source = "../modules/grafana"
storage_class_name = "grafana"
...
grafana_ini = {
...
"auth.google" = {
enabled = true
allow_sign_up = true
auto_login = true
client_id = local.grafana_secrets.grafana_google_client_id
client_secret = local.grafana_secrets.grafana_google_client_secret
scopes = "openid profile email"
auth_url = "https://accounts.google.com/o/oauth2/v2/auth"
token_url = "https://oauth2.googleapis.com/token"
api_url = "https://openidconnect.googleapis.com/v1/userinfo"
allowed_domains = "my-company.com gmail.com"
use_pkce = true
}
server = {
root_url = "https://grafana.my-company.com"
}
}
}
The client_id and client_secret are injected using the values created in step 1. The other settings follow the official documentation.
💡 Security Tip: Avoid hardcoding sensitive credentials like client_id and client_secret in your .tfvars or local values. Instead, load them from a secure secret manager such as Vault or AWS Secrets Manager:
locals {
grafana_secrets = jsondecode(data.aws_secretsmanager_secret_version.grafana_secrets.secret_string)
}
Top comments (0)