diff --git a/roles/ceph-common/tasks/facts.yml b/roles/ceph-common/tasks/facts.yml
index 77d58df73..6d36fe58b 100644
--- a/roles/ceph-common/tasks/facts.yml
+++ b/roles/ceph-common/tasks/facts.yml
@@ -35,6 +35,7 @@
 # We want this check to be run only on one mon
 - name: check if {{ fetch_directory }} directory exists
   local_action: stat path="{{ fetch_directory }}/monitor_keyring.conf"
+  become: false
   register: monitor_keyring_conf
   run_once: true
 
@@ -71,6 +72,7 @@
 
   - name: write initial mon keyring in {{ fetch_directory }}/monitor_keyring.conf if it doesn't exist
     local_action: shell echo {{ monitor_keyring.stdout }} | tee {{ fetch_directory }}/monitor_keyring.conf
+    become: false
     when:
       - test_initial_monitor_keyring.rc == 0
 
diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml
index 0b64972ac..4aeb22923 100644
--- a/roles/ceph-mon/tasks/ceph_keys.yml
+++ b/roles/ceph-mon/tasks/ceph_keys.yml
@@ -6,6 +6,21 @@
     path: /etc/ceph/{{ cluster }}.client.admin.keyring
   when: cephx
 
+- name: test if initial mon keyring is in mon kv store
+  command: ceph --cluster {{ cluster }} config-key get initial_mon_keyring
+  changed_when: false
+  failed_when: false
+  always_run: true
+  run_once: true
+  register: is_initial_mon_keyring_in_kv
+
+- name: put initial mon keyring in mon kv store
+  command: ceph --cluster {{ cluster }} config-key put initial_mon_keyring {{ monitor_keyring.stdout }}
+  changed_when: false
+  always_run: true
+  run_once: true
+  when: is_initial_mon_keyring_in_kv.rc != 0
+
 - name: create ceph rest api keyring when mon is not containerized
   command: ceph --cluster {{ cluster }} auth get-or-create client.restapi osd 'allow *' mon 'allow *' -o /etc/ceph/{{ cluster }}.client.restapi.keyring
   args: