diff --git a/roles/kubernetes/master/meta/main.yml b/roles/kubernetes/master/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f3cd01a6430a118c77be5ee77f096ef67b48c0dc
--- /dev/null
+++ b/roles/kubernetes/master/meta/main.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  - role: kubernetes/tokens
+    when: kube_token_auth
+    tags:
+      - k8s-secrets
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index abc850cbb111ef18ef7d7f7e736ba110d9aeff2a..ea5f604c548a980f504b6caae5e88728172f9d9e 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -5,12 +5,6 @@
     - k8s-gen-certs
     - facts
 
-- import_tasks: check-tokens.yml
-  tags:
-    - k8s-secrets
-    - k8s-gen-tokens
-    - facts
-
 - name: Make sure the certificate directory exits
   file:
     path: "{{ kube_cert_dir }}"
@@ -18,13 +12,6 @@
     mode: o-rwx
     group: "{{ kube_cert_group }}"
 
-- name: Make sure the tokens directory exits
-  file:
-    path: "{{ kube_token_dir }}"
-    state: directory
-    mode: o-rwx
-    group: "{{ kube_cert_group }}"
-
 #
 # The following directory creates make sure that the directories
 # exist on the first master for cases where the first master isn't
@@ -37,7 +24,7 @@
     owner: kube
   run_once: yes
   delegate_to: "{{groups['kube-master'][0]}}"
-  when: gen_certs|default(false) or gen_tokens|default(false)
+  when: gen_certs|default(false)
   tags:
     - kubelet
     - k8s-secrets
@@ -55,20 +42,10 @@
     owner: kube
   run_once: yes
   delegate_to: "{{groups['kube-master'][0]}}"
-  when: gen_certs|default(false) or gen_tokens|default(false)
+  when: gen_certs|default(false)
   tags:
     - k8s-secrets
 
-- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
-  file:
-    path: "{{ kube_token_dir }}"
-    state: directory
-    mode: o-rwx
-    group: "{{ kube_cert_group }}"
-  run_once: yes
-  delegate_to: "{{groups['kube-master'][0]}}"
-  when: gen_tokens|default(false)
-
 - include_tasks: "gen_certs_script.yml"
   when:
     - cert_management |d('script') == 'script'
@@ -130,8 +107,3 @@
     - kubelet
     - node
     - kube-proxy
-
-- import_tasks: gen_tokens.yml
-  tags:
-    - k8s-secrets
-    - k8s-gen-tokens
diff --git a/roles/kubernetes/secrets/files/kube-gen-token.sh b/roles/kubernetes/tokens/files/kube-gen-token.sh
old mode 100755
new mode 100644
similarity index 100%
rename from roles/kubernetes/secrets/files/kube-gen-token.sh
rename to roles/kubernetes/tokens/files/kube-gen-token.sh
diff --git a/roles/kubernetes/secrets/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml
similarity index 100%
rename from roles/kubernetes/secrets/tasks/check-tokens.yml
rename to roles/kubernetes/tokens/tasks/check-tokens.yml
diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/tokens/tasks/gen_tokens.yml
similarity index 97%
rename from roles/kubernetes/secrets/tasks/gen_tokens.yml
rename to roles/kubernetes/tokens/tasks/gen_tokens.yml
index c24ba50fd087e83e1c68b3530c4985908f8bec34..47370c205241b89fb1ac4fe9909d3284942a894e 100644
--- a/roles/kubernetes/secrets/tasks/gen_tokens.yml
+++ b/roles/kubernetes/tokens/tasks/gen_tokens.yml
@@ -17,7 +17,6 @@
     - "{{ groups['kube-master'] }}"
   register: gentoken_master
   changed_when: "'Added' in gentoken_master.stdout"
-  notify: set secret_changed
   run_once: yes
   delegate_to: "{{groups['kube-master'][0]}}"
   when: gen_tokens|default(false)
@@ -31,7 +30,6 @@
     - "{{ groups['kube-node'] }}"
   register: gentoken_node
   changed_when: "'Added' in gentoken_node.stdout"
-  notify: set secret_changed
   run_once: yes
   delegate_to: "{{groups['kube-master'][0]}}"
   when: gen_tokens|default(false)
diff --git a/roles/kubernetes/tokens/tasks/main.yml b/roles/kubernetes/tokens/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..49b8c13fa28c3f8eb06484b07f7a635464ec7934
--- /dev/null
+++ b/roles/kubernetes/tokens/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- import_tasks: check-tokens.yml
+  tags:
+    - k8s-secrets
+    - k8s-gen-tokens
+    - facts
+
+- name: Make sure the tokens directory exits
+  file:
+    path: "{{ kube_token_dir }}"
+    state: directory
+    mode: o-rwx
+    group: "{{ kube_cert_group }}"
+
+- import_tasks: gen_tokens.yml
+  tags:
+    - k8s-secrets
+    - k8s-gen-tokens
diff --git a/tests/files/gce_centos7-flannel-addons.yml b/tests/files/gce_centos7-flannel-addons.yml
index 3847fbc914fe8588889fc62828116a2dfe4e9911..05a9a837f9d75520e25f1b8badd5d40578ab9e62 100644
--- a/tests/files/gce_centos7-flannel-addons.yml
+++ b/tests/files/gce_centos7-flannel-addons.yml
@@ -18,3 +18,5 @@ kube_encrypt_secret_data: true
 ingress_nginx_enabled: true
 cert_manager_enabled: true
 metrics_server_enabled: true
+kube_token_auth: true
+kube_basic_auth: true