diff --git a/roles/etcd/tasks/gen_certs.yml b/roles/etcd/tasks/gen_certs.yml
index 49ca33186..a4fd3a9d7 100644
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -1,19 +1,29 @@
 ---
+- name: Gen_certs | create etcd cert dir
+  file:
+    path={{ etcd_cert_dir }}
+    group={{ etcd_cert_group }}
+    state=directory
+    owner=root
+    recurse=yes
 
-- name: Gen_certs | create etcd script dir
+- name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
   file:
     path: "{{ etcd_script_dir }}"
     state: directory
     owner: root
-  when: inventory_hostname == groups['etcd'][0]
+  run_once: yes
+  delegate_to: "{{groups['etcd'][0]}}"
 
-- name: Gen_certs | create etcd cert dir
+- name: "Gen_certs | create etcd cert dir (on {{groups['etcd'][0]}})"
   file:
     path={{ etcd_cert_dir }}
     group={{ etcd_cert_group }}
     state=directory
     owner=root
     recurse=yes
+  run_once: yes
+  delegate_to: "{{groups['etcd'][0]}}"
 
 - name: Gen_certs | write openssl config
   template:
diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml
index 545cba31f..cf4614d74 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -1,4 +1,24 @@
 ---
+- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
+  file:
+    path: "{{ kube_config_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
+  when: gen_certs|default(false)
+
+- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
+  file:
+    path: "{{ kube_script_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [k8s-secrets, bootstrap-os]
+  when: gen_certs|default(false)
+
 - name: Gen_certs | write openssl config
   template:
     src: "openssl.conf.j2"
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index 4dc6f8c30..4d25a94af 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -35,6 +35,41 @@
   when: inventory_hostname in "{{ groups['kube-master'] }}"
   notify: set secret_changed
 
+#
+# The following directory creates make sure that the directories
+# exist on the first master for cases where the first master isn't
+# being run.
+#
+- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
+  file:
+    path: "{{ kube_config_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
+  when: gen_certs|default(false) or gen_tokens|default(false)
+
+- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
+  file:
+    path: "{{ kube_script_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [k8s-secrets, bootstrap-os]
+  when: gen_certs|default(false) or gen_tokens|default(false)
+
+- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
+  file:
+    path={{ kube_token_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_tokens|default(false)
+
 - include: gen_certs.yml
   tags: k8s-secrets
 - include: gen_tokens.yml