diff --git a/.env b/.env
index be60d53..d218223 100644
--- a/.env
+++ b/.env
@@ -12,5 +12,6 @@ DATABASE_URL= "postgres://postgres:U1pm3f5SX34DXkHoW6aKFsBHOlMA9binDPNG4aT0FAcg7
 
 # Grafana
 GRAFANA_ADMIN_PASSWORD=ed3aaf20707fb5af9185708ec27f5211f71b35067277993eab624abce1
+GRAFANA_DB_RO_PASSWORD=7942a1DeLgyuiCzh8XFH21sPVJqRJo737qDW1PNDEtM
 
 API_BASE_URL   = "https://eu-open.tracksolidpro.com/route/rest"
diff --git a/run_migrations.py b/run_migrations.py
index d5f3e84..8b148e9 100644
--- a/run_migrations.py
+++ b/run_migrations.py
@@ -158,6 +158,23 @@ def run_file(path, filename):
     return True
 
 
+def sync_role_passwords(conn):
+    """
+    Keep DB role passwords in sync with env vars on every startup.
+    Safe to run repeatedly — ALTER ROLE is idempotent.
+    This fixes roles created with the placeholder 'SET_PASSWORD_IN_ENV'.
+    """
+    roles = {
+        "grafana_ro": os.getenv("GRAFANA_DB_RO_PASSWORD"),
+    }
+    with conn.cursor() as cur:
+        for role, password in roles.items():
+            if password:
+                cur.execute(f"ALTER ROLE {role} WITH PASSWORD %s", (password,))
+                print(f"  Password synced for role: {role}")
+    conn.commit()
+
+
 def verify_schema(conn):
     """Verify critical tables exist. Exit 1 if missing — blocks service start."""
     print("Verifying schema...")
@@ -210,6 +227,7 @@ def main():
 
     print(f"\nMigrations: {applied} applied, {skipped} skipped.")
 
+    sync_role_passwords(conn)
     verify_schema(conn)
     conn.close()
     print("Startup checks passed.\n")