diff --git a/extras.d/60-ceph.sh b/extras.d/60-ceph.sh
index 5fb34ea89b..50bdfaee3b 100644
--- a/extras.d/60-ceph.sh
+++ b/extras.d/60-ceph.sh
@@ -26,8 +26,9 @@ if is_service_enabled ceph; then
         if is_service_enabled cinder; then
             echo_summary "Configuring Cinder for Ceph"
             configure_ceph_cinder
-            # NOTE (leseb): the part below is a requirement from Cinder in order to attach volumes
-            # so we should run the following within the if statement.
+        fi
+        if is_service_enabled cinder || is_service_enabled nova; then
+            # NOTE (leseb): the part below is a requirement to attach Ceph block devices
             echo_summary "Configuring libvirt secret"
             import_libvirt_secret_ceph
         fi
diff --git a/lib/ceph b/lib/ceph
index 2e68ce588d..e55738c0d2 100644
--- a/lib/ceph
+++ b/lib/ceph
@@ -225,6 +225,11 @@ function configure_ceph_nova {
     iniset $NOVA_CONF libvirt images_type rbd
     iniset $NOVA_CONF libvirt images_rbd_pool ${NOVA_CEPH_POOL}
     iniset $NOVA_CONF libvirt images_rbd_ceph_conf ${CEPH_CONF_FILE}
+
+    if ! is_service_enabled cinder; then
+        sudo ceph -c ${CEPH_CONF_FILE} auth get-or-create client.${CINDER_CEPH_USER} mon "allow r" osd "allow class-read object_prefix rbd_children, allow rwx pool=${CINDER_CEPH_POOL}, allow rwx pool=${NOVA_CEPH_POOL},allow rx pool=${GLANCE_CEPH_POOL}" | sudo tee ${CEPH_CONF_DIR}/ceph.client.${CINDER_CEPH_USER}.keyring > /dev/null
+        sudo chown ${STACK_USER}:$(id -g -n $whoami) ${CEPH_CONF_DIR}/ceph.client.${CINDER_CEPH_USER}.keyring
+    fi
 }
 
 # configure_ceph_cinder() - Cinder config needs to come after Cinder is set up