diff --git a/apps/grafana/release.yaml b/apps/grafana/release.yaml
index 55d0f0e0..7e8118d8 100644
--- a/apps/grafana/release.yaml
+++ b/apps/grafana/release.yaml
@@ -171,3 +171,11 @@ spec:
           selector:
             matchLabels:
               scrape-service-metrics: "true"
+      - apiVersion: v1
+        kind: ServiceAccount
+        metadata:
+          annotations:
+            eks.amazonaws.com/role-arn: arn:aws:iam::${flux_workload_account_id}:role/grafana-irsa
+            eks.amazonaws.com/sts-regional-endpoints: "true"
+          name: grafana
+          namespace: grafana
diff --git a/apps/grafana/secretstore-1password.yaml b/apps/grafana/secretstore-1password.yaml
new file mode 100644
index 00000000..aae14e08
--- /dev/null
+++ b/apps/grafana/secretstore-1password.yaml
@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: grafana-1password
+  namespace: grafana
+spec:
+  provider:
+    onepassword:
+      connectHost: http://onepassword-connect.1password-connect.svc.cluster.local:8080
+      vaults:
+        CloudEng-General: 1
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            name: onepassword-basic-auth
+            key: 1password-connect-token
diff --git a/apps/grafana/secretstore-ssm.yaml b/apps/grafana/secretstore-ssm.yaml
new file mode 100644
index 00000000..a99cfc0c
--- /dev/null
+++ b/apps/grafana/secretstore-ssm.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: grafana-ssm
+  namespace: grafana
+spec:
+  provider:
+    aws:
+      service: ParameterStore
+      region: eu-west-1
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: grafana