diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index 9533f4e7032c12893d7b3bb060b441ce36c2481d..8da2df988acb0ff467032e43e908f244756de4fd 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -14,6 +14,7 @@ etcd_backup_retention_count: -1
 
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
+etcd_cert_dir_mode: "0700"
 etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml
index 0314ad9d9e4249ba317007640cb3fc86c7a68acc..36a8e2fc6e761c77c17aeb0b6680de7ea108a332 100644
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -5,7 +5,7 @@
     group: "{{ etcd_cert_group }}"
     state: directory
     owner: kube
-    mode: 0700
+    mode: "{{ etcd_cert_dir_mode }}"
     recurse: yes
 
 - name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})"
@@ -157,5 +157,5 @@
     group: "{{ etcd_cert_group }}"
     state: directory
     owner: kube
-    mode: 0640
+    mode: "{{ etcd_cert_dir_mode }}"
     recurse: yes