diff --git a/cluster/gce/templates/create-dynamic-salt-files.sh b/cluster/gce/templates/create-dynamic-salt-files.sh
index b059aab6ac6..c02ff5d7e63 100644
--- a/cluster/gce/templates/create-dynamic-salt-files.sh
+++ b/cluster/gce/templates/create-dynamic-salt-files.sh
@@ -29,8 +29,6 @@ EOF
 mkdir -p /srv/salt-overlay/salt/nginx
 echo $MASTER_HTPASSWD > /srv/salt-overlay/salt/nginx/htpasswd
 
-# TODO: do aws.
-
 # Generate and distribute a shared secret (bearer token) to
 # apiserver and kubelet so that kubelet can authenticate to
 # apiserver to send events.
diff --git a/cluster/saltbase/salt/kube-apiserver/default b/cluster/saltbase/salt/kube-apiserver/default
index 04c55a310d8..4e6e51f8595 100644
--- a/cluster/saltbase/salt/kube-apiserver/default
+++ b/cluster/saltbase/salt/kube-apiserver/default
@@ -29,7 +29,15 @@
 
 {% set cert_file = "-tls_cert_file=/srv/kubernetes/server.cert" %}
 {% set key_file = "-tls_private_key_file=/srv/kubernetes/server.key" %}
+
 {% set secure_port = "-secure_port=6443" %}
-{% set token_auth_file = "-token_auth_file=/srv/kubernetes/known_tokens.csv" %}
+{% set token_auth_file = "-token_auth_file=/dev/null" %}
+
+{% if grains.cloud is defined %}
+{% if grains.cloud == 'gce' %}
+    # TODO: generate and distribute tokens for other cloud providers.
+    {% set token_auth_file = "-token_auth_file=/srv/kubernetes/known_tokens.csv" %}
+{% endif %}
+{% endif %}
 
 DAEMON_ARGS="{{daemon_args}} {{address}} {{etcd_servers}} {{ cloud_provider }} --allow_privileged={{pillar['allow_privileged']}} {{portal_net}} {{cert_file}} {{key_file}} {{secure_port}} {{token_auth_file}}"
diff --git a/cluster/saltbase/salt/kube-apiserver/init.sls b/cluster/saltbase/salt/kube-apiserver/init.sls
index fab9e7367a3..ba21f2482d5 100644
--- a/cluster/saltbase/salt/kube-apiserver/init.sls
+++ b/cluster/saltbase/salt/kube-apiserver/init.sls
@@ -38,6 +38,9 @@
 
 {% endif %}
 
+{% if grains.cloud is defined %}
+{% if grains.cloud == 'gce' %}
+# TODO: generate and distribute tokens on other cloud providers.
 /srv/kubernetes/known_tokens.csv:
   file.managed:
     - source: salt://kube-apiserver/known_tokens.csv
@@ -45,6 +48,9 @@
     - group: kube-apiserver
     - mode: 400
 
+{% endif %}
+{% endif %}
+
 kube-apiserver:
   group.present:
     - system: True