diff --git a/roles/etcd/tasks/sync_etcd_master_certs.yml b/roles/etcd/tasks/sync_etcd_master_certs.yml
index b810ff775ab76f5e5be44daf5551503d235ab544..3990e569df3fc6c2c6334bc6e0f459afbad5a449 100644
--- a/roles/etcd/tasks/sync_etcd_master_certs.yml
+++ b/roles/etcd/tasks/sync_etcd_master_certs.yml
@@ -13,6 +13,8 @@
     sync_file: "{{ item }}"
     sync_file_dir: "{{ etcd_cert_dir }}"
     sync_file_hosts: [ "{{ inventory_hostname }}" ]
+    sync_file_owner: kube
+    sync_file_group: root
     sync_file_is_cert: true
   with_items: "{{ etcd_master_cert_list|d([]) }}"
 
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
index 88db2f5a40111382e1d0a6c05a0d902459d84cfc..136ef3ffe8357458ef312f92b1b6e49c5e3b9bbc 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@@ -44,6 +44,7 @@
     issue_cert_file_group: "{{ kube_cert_group }}"
     issue_cert_file_owner: kube
     issue_cert_hosts: "{{ groups['kube-master'] }}"
+    issue_cert_run_once: true
     issue_cert_ip_sans: >-
         [
         {%- for host in groups['kube-master']  -%}
diff --git a/roles/vault/tasks/bootstrap/main.yml b/roles/vault/tasks/bootstrap/main.yml
index 18373ad9a3b973c4758ce84b49a5e526af36041b..e4e67d11fcd348d2640c6373cb3550eb79f7477c 100644
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@@ -43,7 +43,7 @@
     - "{{ vault_pki_mounts.etcd }}"
   loop_control:
     loop_var: mount
-  when: inventory_hostname in groups.vault and not vault_cluster_is_initialized
+  when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
 
 - include_tasks: ../shared/gen_ca.yml
   vars:
diff --git a/roles/vault/tasks/bootstrap/sync_vault_certs.yml b/roles/vault/tasks/bootstrap/sync_vault_certs.yml
index d6b2c6e91d07e3c3ad350c382a407155efefd15d..cf499099a3ba5171ee5334afa8c0ac76a6de2f5d 100644
--- a/roles/vault/tasks/bootstrap/sync_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/sync_vault_certs.yml
@@ -4,6 +4,8 @@
     sync_file: "ca.pem"
     sync_file_dir: "{{ vault_cert_dir }}"
     sync_file_hosts: "{{ groups.vault }}"
+    sync_file_owner: vault
+    sync_file_group: root
     sync_file_is_cert: true
 
 - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@@ -20,6 +22,8 @@
     sync_file: "ca.pem"
     sync_file_dir: "{{ vault_cert_dir }}"
     sync_file_hosts: "{{ groups['kube-master'] }}"
+    sync_file_owner: vault
+    sync_file_group: root
     sync_file_is_cert: false
 
 - name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
@@ -36,6 +40,8 @@
     sync_file: "api.pem"
     sync_file_dir: "{{ vault_cert_dir }}"
     sync_file_hosts: "{{ groups.vault }}"
+    sync_file_owner: vault
+    sync_file_group: root
     sync_file_is_cert: true
 
 - name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed
diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml
index 89921b345a82954f753c3500cc8b5067ace15e63..be49f375d6490ccb1b37e966ce0e2788df34c56b 100644
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -45,7 +45,7 @@
     state: directory
     recurse: yes
     owner: "vault"
-    group: "vault"
+    group: "root"
     mode: 0755
 
 - name: gen_certs_vault | install hvac
@@ -87,6 +87,7 @@
       format: "{{ issue_cert_format | d('pem') }}"
       ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
   register: issue_cert_result
+  run_once: "{{ issue_cert_run_once | d(false) }}"
 
 - name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
   copy: