diff --git a/v3/fleet-local/control/chronos@.service b/v3/fleet-local/control/chronos@.service
index 6b0db10..ffa1712 100644
--- a/v3/fleet-local/control/chronos@.service
+++ b/v3/fleet-local/control/chronos@.service
@@ -7,11 +7,11 @@ Requires=docker.service
 [Service]
 # NOTE: chronos doesn't need the `zk://`
 Environment=ZOOKEEPER_HOST=localhost:2181
-Environment="IMAGE=etcdctl get /images/chronos"
-Environment="ZK_USERNAME=etcdctl get /zookeeper/config/username"
-Environment="ZK_PASSWORD=etcdctl get /zookeeper/config/password"
-Environment="ZK_ENDPOINT=etcdctl get /zookeeper/config/endpoint"
-Environment="MESOS_USERNAME=etcdctl get /mesos/config/username"
+Environment="IMAGE=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password) get /images/chronos"
+Environment="ZK_USERNAME=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password) get /zookeeper/config/username"
+Environment="ZK_PASSWORD=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password)  get /zookeeper/config/password"
+Environment="ZK_ENDPOINT=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password)  get /zookeeper/config/endpoint"
+Environment="MESOS_USERNAME=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password)  get /mesos/config/username"
 
 User=core
 Restart=always
diff --git a/v3/fleet-local/worker/mesos-slave@.service b/v3/fleet-local/worker/mesos-slave@.service
index 590fd99..73aedfe 100644
--- a/v3/fleet-local/worker/mesos-slave@.service
+++ b/v3/fleet-local/worker/mesos-slave@.service
@@ -4,10 +4,10 @@ After=docker.service bootstrap.service
 Requires=docker.service bootstrap.service
 
 [Service]
-Environment="IMAGE=etcdctl get /images/mesos-slave"
-Environment="ZK_USERNAME=etcdctl get /zookeeper/config/username"
-Environment="ZK_PASSWORD=etcdctl get /zookeeper/config/password"
-Environment="ZK_ENDPOINT=etcdctl get /zookeeper/config/endpoint"
+Environment="IMAGE=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password) get /images/mesos-slave"
+Environment="ZK_USERNAME=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password) get /zookeeper/config/username"
+Environment="ZK_PASSWORD=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password) get /zookeeper/config/password"
+Environment="ZK_ENDPOINT=etcdctl -u $(cat /opt/etcdctl/root):$(cat /opt/etcdctl/root-password) get /zookeeper/config/endpoint"
 EnvironmentFile=/etc/environment
 
 User=core
@@ -20,7 +20,7 @@ ExecStartPre=/usr/bin/systemctl is-active update-os.service
 # ExecStart from spinning up and mounting / creating .dockercfg/ as a dir
 ExecStartPre=/usr/bin/bash -c "if [ ! -f /home/core/.dockercfg ]; then exit 1; fi"
 ExecStartPre=/usr/bin/bash -c "if [ ! -f /opt/mesos/credentials ]; then exit 1; fi"
-ExecStartPre=/usr/bin/sh -c "source /etc/profile.d/etcdctl.sh && docker pull $($IMAGE)"
+ExecStartPre=/usr/bin/sh -c "source /etc/profile.d/etcdctl.sh && docker pull $IMAGE"
 ExecStartPre=-/usr/bin/docker kill mesos-slave
 ExecStartPre=-/usr/bin/docker rm mesos-slave
 
@@ -39,7 +39,7 @@ ExecStart=/usr/bin/bash -c "source /etc/profile.d/etcdctl.sh && \
     -v /lib64/libgcrypt.so:/lib/libgcrypt.so.20:ro \
     -v /var/lib/mesos/slave:/var/lib/mesos/slave \
     -v /opt/mesos/credentials:/opt/mesos/credentials:ro \
-    $($IMAGE) \
+    $IMAGE \
     --ip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) \
     --attributes=zone:$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)\;os:coreos\;worker_group:$WORKER_GROUP \
     --containerizers=docker,mesos \
diff --git a/v3/setup/etcdctl-auth.sh b/v3/setup/etcdctl-auth.sh
index 0e5060e..52ab0bb 100755
--- a/v3/setup/etcdctl-auth.sh
+++ b/v3/setup/etcdctl-auth.sh
@@ -28,6 +28,12 @@ sudo cat << EOF > $CRED_DIR/${1}.json
   "password": "$2"
 }
 EOF
+sudo cat << EOF > $CRED_DIR/${1}
+$1
+EOF
+sudo cat << EOF > $CRED_DIR/${1}-password
+$2
+EOF
 }
 
 add_users $ROOT_USERNAME $ROOT_PASSWORD
@@ -62,4 +68,4 @@ curl -L http://127.0.0.1:2379/v2/auth/users/${WRITE_USERNAME} -XPUT -d "@$CRED_D
 # Enable authentication
 etcdctl auth enable
 
-sudo rm -rf $CRED_DIR
+sudo rm -rf $CRED_DIR/read-user.json $CRED_DIR/root.json