diff --git a/roles/ceph-mon/tasks/openstack_config.yml b/roles/ceph-mon/tasks/openstack_config.yml
index f99d80b76..f95f03ba0 100644
--- a/roles/ceph-mon/tasks/openstack_config.yml
+++ b/roles/ceph-mon/tasks/openstack_config.yml
@@ -50,24 +50,25 @@
     - openstack_config
     - item.0 != groups[mon_group_name] | last
 
-- name: chmod openstack key(s)
+- name: chmod openstack key(s) on the other mons and this mon
   file:
-    path: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
-    mode: "{{ item.mode|default(omit) }}" # if mode not in list, uses mode from ps umask
-  with_items: "{{ openstack_keys }}"
-  when:
-    - openstack_config
-    - cephx
-    
-- name: setfacl for openstack key(s)
-  acl:
-    path: "/etc/ceph/{{ cluster }}.{{ item.0.name }}.keyring"
-    entry: "{{ item.1 }}"
-    state: present
-  with_subelements:
+    path: "/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
+    mode: "{{ item.1.mode|default(omit) }}" # if mode not in list, uses mode from ps umask
+  with_nested:
+    - "{{ groups[mon_group_name] }}"
     - "{{ openstack_keys }}"
-    - acls
-    - skip_missing: true
+  delegate_to: "{{ item.0 }}"
   when:
     - openstack_config
     - cephx
+
+- name: setfacl for openstack key(s) on the other mons and this mon
+  command: "setfacl -m {{ item.1.acls | join(',') }} /etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
+  with_nested:
+    - "{{ groups[mon_group_name] }}"
+    - "{{ openstack_keys }}"
+  delegate_to: "{{ item.0 }}"
+  when:
+    - item.1.acls | length > 0
+    - openstack_config
+    - cephx