diff --git a/cluster/aws/templates/create-dynamic-salt-files.sh b/cluster/aws/templates/create-dynamic-salt-files.sh
index 682d9fbbc3b..33050b3591c 100644
--- a/cluster/aws/templates/create-dynamic-salt-files.sh
+++ b/cluster/aws/templates/create-dynamic-salt-files.sh
@@ -52,3 +52,14 @@ known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
 mkdir -p /srv/salt-overlay/salt/kubelet
 kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
 (umask u=rw,go= ; echo "{\"BearerToken\": \"$kubelet_token\", \"Insecure\": true }" > $kubelet_auth_file)
+
+# Generate tokens for other "service accounts".  Append to known_tokens.
+#
+# NB: If this list ever changes, this script actually has to
+# change to detect the existence of this file, kill any deleted
+# old tokens and add any new tokens (to handle the upgrade case).
+local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
+for account in "${service_accounts[@]}"; do
+  token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+  echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"
+done
diff --git a/cluster/vagrant/provision-master.sh b/cluster/vagrant/provision-master.sh
index 774201ed8fd..0175cf70ed2 100755
--- a/cluster/vagrant/provision-master.sh
+++ b/cluster/vagrant/provision-master.sh
@@ -145,6 +145,17 @@ if [[ ! -f "${known_tokens_file}" ]]; then
   mkdir -p /srv/salt-overlay/salt/kubelet
   kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
   (umask u=rw,go= ; echo "{\"BearerToken\": \"$kubelet_token\", \"Insecure\": true }" > $kubelet_auth_file)
+
+  # Generate tokens for other "service accounts".  Append to known_tokens.
+  #
+  # NB: If this list ever changes, this script actually has to
+  # change to detect the existence of this file, kill any deleted
+  # old tokens and add any new tokens (to handle the upgrade case).
+  local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
+  for account in "${service_accounts[@]}"; do
+    token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+    echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"
+  done
 fi
 
 # Configure nginx authorization