diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index 1aa605615dc26c9394f4f7143f5f50975107cffe..d07756e429500769db2f5e09bc4493a2c1f7fbbb 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -21,6 +21,8 @@ let
         monitoringvpnIPv4 = "172.23.23.11";
       }))
     ];
+    services.private-storage.monitoring.grafana.googleOAuthClientID = "";
+    services.private-storage.monitoring.grafana.googleOAuthClientSecretFile = /run/keys/grafana-google-sso.secret;
   };
 
   monitoring = {
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 996b1fba0bd2c12c22b00f549aa26c8b8472653d..0ecae92fe0c5007ffd12e288c4d854849c0d8a20 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -45,6 +45,8 @@ let
         stateVersion = "19.09";
       })
     ];
+    services.private-storage.monitoring.grafana.googleOAuthClientID = "";
+    services.private-storage.monitoring.grafana.googleOAuthClientSecretFile = /run/keys/grafana-google-sso.secret;
   };
 
   # TBD: derive these automatically:
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 8fea577341a4432b799c0604717969a4a4939054..23b0e0d4ea2d181b788f279db67968dfeb6fe1fb 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -42,6 +42,7 @@
   deployment.secrets = {
     "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
     "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
+    "grafana-google-sso-secret".source = "${privateKeyPath}/grafana-google-sso.secret";
   };
 
   networking.domain = domain;
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index 6df65a5437baf430b451db42b24e57316db21f28..31ab1c0db606008cdc948d60187f287dcb4f2355 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -17,6 +17,13 @@ rec {
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
       };
+      "grafana-google-sso-secret" = {
+        destination = "/run/keys/grafana-google-sso.secret";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "grafana.service"];
+      };
     };
   };