diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 3080c3646cbbc333bce2d41a3804e430297aa1da..36bb564a3d26eca419c46dcdef070584e6ff5d7d 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -60,8 +60,8 @@
         "grafana-google-sso-secret" = {
           source = "${privateKeyPath}/grafana-google-sso.secret";
           destination = "/run/keys/grafana-google-sso.secret";
-          owner.user = "root";
-          owner.group = "root";
+          owner.user = config.systemd.services.grafana.serviceConfig.User;
+          owner.group = config.users.users.grafana.group;
           permissions = "0400";
           action = ["sudo" "systemctl" "restart" "grafana.service"];
         };
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index b5719f2d46085aaca52a701af70019c5ef59ba78..28c1b6906137afeae8823d75de304eab56b55872 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -119,5 +119,8 @@ in {
         };
       };
     };
+
+    # Let Grafana read from keys, if necessary.
+    users.users.grafana.extraGroups = [ "keys" ];
   };
 }