diff --git a/roles/pvc/tasks/bootstrap_ceph.yml b/roles/pvc/tasks/bootstrap_ceph.yml
index 004b73c..824d552 100644
--- a/roles/pvc/tasks/bootstrap_ceph.yml
+++ b/roles/pvc/tasks/bootstrap_ceph.yml
@@ -154,3 +154,7 @@
     name: ceph-mon@{{ ansible_hostname }}
     state: started
     enabled: yes
+
+- name: create Libvirt keyring
+  command: ceph auth get-or-create client.libvirt mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=pvc*'
+  run_once: yes