diff --git a/files/common/ansible-pub-key b/files/common/ansible-pub-key
new file mode 100644
index 0000000000..1fa0bf30b8
--- /dev/null
+++ b/files/common/ansible-pub-key
@@ -0,0 +1,3 @@
+#ansible root key
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmS3g5fSXizcCqKMI1n5WPFrfMyu7BMrMkMYyck07rB/cf2orO8kKj5schjILA8NYJFStlv2CGRXmQlendj523FPzPmzxvTP/OT4qdywa4LKGvAxOkRGCMMxWzVFLdEMzsLUE/+FLX+xd1US9UPLGRsbMkdz4ORCc0G8gqTr835H56mQPI+/zPFeQjHoHGYtQA1wnJH/0LCuFFfU82IfzrXzFDIBAA5i2S+eEOk7/SA4Ciek1CthNtqPX27M6UqkJMBmVpnAdeDz2noWMvlzAAUQ7dHL84CiXbUnF3hhYrHDbmD+kEK+KiRrYh3PT+5YfEPVI/xiDJ2fdHGxY7Dr2TQ== root@lockbox01.phx2.fedoraproject.org
+
diff --git a/tasks/cloud_setup_basic.yml b/tasks/cloud_setup_basic.yml
index 1e2b699d1b..5067cdb5d0 100644
--- a/tasks/cloud_setup_basic.yml
+++ b/tasks/cloud_setup_basic.yml
@@ -25,17 +25,17 @@
   action: shell hostname  ${hostbase}`curl -s http://169.254.169.254/latest/meta-data/instance-id`
   tags:
   - config
+
+- name: add ansible root key 
+  action: authorized_key user=root key='$FILE(${files}/common/ansible-pub-key)'
+  tags:
+  - config
   
-- name: put sysadmin-main in place for sshing in
-  action: copy src=$files/common/sysadmin-main dest=/root/.ssh/authorized_keys mode=600 backup=true
+- name: add root keys for sysadmin-main and other allowed users
+  action: authorized_key user=root key='$PIPE(${auth_keys_from_fas} @sysadmin-main ${root_auth_users})'
   tags:
   - config
 
-- name: add root keys for other allowed users
-  action: authorized_key user=root key='$PIPE(${auth_keys_from_fas} ${root_auth_users})'
-  only_if: is_set('${root_auth_users}')
-  tags:
-  - config
 
 # note - kinda should be a handler - but handlers need args
 - name: restorecon