diff --git a/mmv1/products/monitoring/NotificationChannel.yaml b/mmv1/products/monitoring/NotificationChannel.yaml
index 2ec0673814fd..0826c032c54d 100644
--- a/mmv1/products/monitoring/NotificationChannel.yaml
+++ b/mmv1/products/monitoring/NotificationChannel.yaml
@@ -108,28 +108,85 @@ properties:
         description: |
           An authorization token for a notification channel. Channel types that support this field include: slack
         sensitive: true
+        conflicts:
+          - 'sensitive_labels.0.auth_token_wo'
         exactly_one_of:
           - 'sensitive_labels.0.auth_token'
           - 'sensitive_labels.0.password'
           - 'sensitive_labels.0.service_key'
+      - name: 'authTokenWo'
+        type: String
+        description: |
+          An authorization token for a notification channel. Channel types that support this field include: slack. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)
+        write_only_legacy: true
+        required_with:
+          - 'authTokenWoVersion'
+        conflicts:
+          - 'sensitive_labels.0.auth_token'
+      - name: 'authTokenWoVersion'
+        type: Integer
+        immutable: true
+        ignore_read: true
+        description: |
+          Triggers a new auth_token_wo to be written. Increment this to update auth_token_wo. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)
+        required_with:
+          - 'sensitive_labels.0.auth_token_wo'
       - name: 'password'
         type: String
         description: |
           An password for a notification channel. Channel types that support this field include: webhook_basicauth
         sensitive: true
+        conflicts:
+          - 'sensitive_labels.0.password_wo'
         exactly_one_of:
           - 'sensitive_labels.0.auth_token'
           - 'sensitive_labels.0.password'
           - 'sensitive_labels.0.service_key'
+      - name: 'passwordWo'
+        type: String
+        description: |
+          An password for a notification channel. Channel types that support this field include: webhook_basicauth. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)
+        write_only_legacy: true
+        required_with:
+          - 'passwordWoVersion'
+        conflicts:
+          - 'sensitive_labels.0.password'
+      - name: 'passwordWoVersion'
+        type: Integer
+        immutable: true
+        ignore_read: true
+        description: |
+          Triggers a new password_wo to be written. Increment this to update password_wo. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)
+        required_with:
+          - 'sensitive_labels.0.password_wo'
       - name: 'serviceKey'
         type: String
         description: |
           An servicekey token for a notification channel. Channel types that support this field include: pagerduty
         sensitive: true
+        conflicts:
+          - 'sensitive_labels.0.service_key_wo'
         exactly_one_of:
           - 'sensitive_labels.0.auth_token'
           - 'sensitive_labels.0.password'
           - 'sensitive_labels.0.service_key'
+      - name: 'serviceKeyWo'
+        type: String
+        description: |
+          An servicekey token for a notification channel. Channel types that support this field include: pagerduty. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)
+        write_only_legacy: true
+        required_with:
+          - 'serviceKeyWoVersion'
+        conflicts:
+          - 'sensitive_labels.0.service_key'
+      - name: 'serviceKeyWoVersion'
+        type: Integer
+        immutable: true
+        ignore_read: true
+        description: |
+          Triggers a new service_key_wo to be written. Increment this to update service_key_wo. For more info see [updating write-only attributes](/docs/providers/google/guides/using_write_only_attributes.html#updating-write-only-attributes)
+        required_with:
+          - 'sensitive_labels.0.service_key_wo'
   - name: 'name'
     type: String
     description: |
diff --git a/mmv1/templates/terraform/decoders/monitoring_notification_channel.go.tmpl b/mmv1/templates/terraform/decoders/monitoring_notification_channel.go.tmpl
index 9298b2d12435..11f06a4eda33 100644
--- a/mmv1/templates/terraform/decoders/monitoring_notification_channel.go.tmpl
+++ b/mmv1/templates/terraform/decoders/monitoring_notification_channel.go.tmpl
@@ -16,6 +16,8 @@ if labelmap, ok := res["labels"]; ok {
 		if _, apiOk := labels[sl]; apiOk {
 			if _, exists := d.GetOkExists("sensitive_labels.0." + sl); exists {
 				delete(labels, sl)
+			} else if _, existsWo := d.GetOkExists("sensitive_labels.0." + sl + "_wo"); existsWo {
+				delete(labels, sl)
 			} else {
 				labels[sl] = d.Get("labels." + sl)
 			}
diff --git a/mmv1/templates/terraform/encoders/monitoring_notification_channel.go.tmpl b/mmv1/templates/terraform/encoders/monitoring_notification_channel.go.tmpl
index 4a4fbc8502d3..fd3bf075e676 100644
--- a/mmv1/templates/terraform/encoders/monitoring_notification_channel.go.tmpl
+++ b/mmv1/templates/terraform/encoders/monitoring_notification_channel.go.tmpl
@@ -22,6 +22,9 @@ for _, sl := range sensitiveLabels {
 	if auth, _ := d.GetOkExists("sensitive_labels.0." + sl); auth != "" {
 		labels[sl] = auth.(string)
 	}
+	if authWo, _ := d.GetOkExists("sensitive_labels.0." + sl + "_wo"); authWo != "" {
+		labels[sl] = authWo.(string)
+	}
 }
 
 obj["labels"] = labels
diff --git a/mmv1/third_party/terraform/services/monitoring/resource_monitoring_notification_channel_test.go b/mmv1/third_party/terraform/services/monitoring/resource_monitoring_notification_channel_test.go
index a1732f47b31c..2bdd1baa2da5 100644
--- a/mmv1/third_party/terraform/services/monitoring/resource_monitoring_notification_channel_test.go
+++ b/mmv1/third_party/terraform/services/monitoring/resource_monitoring_notification_channel_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
 )
 
@@ -139,6 +140,91 @@ func TestAccMonitoringNotificationChannel_updateSensitiveLabels(t *testing.T) {
 	})
 }
 
+func TestAccMonitoringNotificationChannel_updateSensitiveLabelsWriteOnly_slack(t *testing.T) {
+	// Slack auth_token required for test not to fail, skipping test till internal testing slack can be created
+	t.Skip()
+	t.Parallel()
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckMonitoringNotificationChannelDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccMonitoringNotificationChannel_sensitiveLabelsWriteOnly_slack("token1", 1),
+			},
+			{
+				ResourceName:            "google_monitoring_notification_channel.slack",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels.%", "labels.auth_token", "sensitive_labels"},
+			},
+			{
+				Config: testAccMonitoringNotificationChannel_sensitiveLabelsWriteOnly_slack("token2", 2),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_monitoring_notification_channel.slack", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_monitoring_notification_channel.slack",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels.%", "labels.auth_token", "sensitive_labels"},
+			},
+		},
+	})
+}
+
+func TestAccMonitoringNotificationChannel_updateSensitiveLabelsWriteOnly(t *testing.T) {
+	t.Parallel()
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckMonitoringNotificationChannelDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccMonitoringNotificationChannel_sensitiveLabelsWriteOnly("key1", "pass1", 1),
+			},
+			{
+				ResourceName:            "google_monitoring_notification_channel.pagerduty",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels.%", "labels.service_key", "sensitive_labels"},
+			},
+			{
+				ResourceName:            "google_monitoring_notification_channel.basicauth",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels.%", "labels.password", "sensitive_labels"},
+			},
+			{
+				Config: testAccMonitoringNotificationChannel_sensitiveLabelsWriteOnly("key2", "pass2", 2),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_monitoring_notification_channel.pagerduty", plancheck.ResourceActionUpdate),
+						plancheck.ExpectResourceAction("google_monitoring_notification_channel.basicauth", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_monitoring_notification_channel.pagerduty",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels.%", "labels.service_key", "sensitive_labels"},
+			},
+			{
+				ResourceName:            "google_monitoring_notification_channel.basicauth",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels.%", "labels.password", "sensitive_labels"},
+			},
+		},
+	})
+}
+
 func testAccMonitoringNotificationChannel_update(channel, labels, enabled string) string {
 	return fmt.Sprintf(`
 resource "google_monitoring_notification_channel" "update" {
@@ -233,3 +319,48 @@ resource "google_monitoring_notification_channel" "pagerduty" {
 }
 `)
 }
+
+func testAccMonitoringNotificationChannel_sensitiveLabelsWriteOnly_slack(authToken string, version int) string {
+	return fmt.Sprintf(`
+resource "google_monitoring_notification_channel" "slack" {
+	display_name = "TFTest Slack Channel"
+	type         = "slack"
+	labels = {
+		"channel_name" = "#foobar"
+	}
+
+	sensitive_labels {
+		auth_token_wo         = "%s"
+		auth_token_wo_version = %d
+	}
+}
+`, authToken, version)
+}
+
+func testAccMonitoringNotificationChannel_sensitiveLabelsWriteOnly(serviceKey, password string, version int) string {
+	return fmt.Sprintf(`
+resource "google_monitoring_notification_channel" "basicauth" {
+	display_name = "TFTest Basicauth Channel"
+	type         = "webhook_basicauth"
+	labels = {
+		"username" = "username"
+		"url"      = "http://fakeurl.com"
+	}
+
+	sensitive_labels {
+		password_wo         = "%s"
+		password_wo_version = %d
+	}
+}
+
+resource "google_monitoring_notification_channel" "pagerduty" {
+	display_name = "TFTest Pagerduty Channel"
+	type         = "pagerduty"
+
+	sensitive_labels {
+		service_key_wo         = "%s"
+		service_key_wo_version = %d
+	}
+}
+`, password, version, serviceKey, version)
+}