diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml
index 8debf8c74b..2774581a0a 100644
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@@ -129,7 +129,9 @@ outputs:
                 cap_mon: 'allow profile bootstrap-osd'
               CEPH_CLIENT_KEY:
                 secret: {get_param: CephClientKey}
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                 cap_mon: 'allow r'
                 cap_osd:
                   str_replace:
@@ -141,7 +143,9 @@ outputs:
                       GLANCE_POOL: {get_param: GlanceRbdPoolName}
                       GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
               MANILA_CLIENT_KEY:
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                 secret: {get_param: CephManilaClientKey}
                 cap_mon: 'allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\"'
                 cap_mds: 'allow *'