diff --git a/lib/embedded_ansible.rb b/lib/embedded_ansible.rb
index 638ae51ba78..ea5a9613704 100644
--- a/lib/embedded_ansible.rb
+++ b/lib/embedded_ansible.rb
@@ -99,6 +99,10 @@ def self.run_setup_script(exclude_tags)
       }
       AwesomeSpawn.run!(SETUP_SCRIPT, :params => params)
     end
+  rescue AwesomeSpawn::CommandResultError => e
+    _log.error("EmbeddedAnsible setup script failed with: #{e.message}")
+    miq_database.ansible_secret_key = nil
+    raise
   end
   private_class_method :run_setup_script
 
diff --git a/spec/lib/embedded_ansible_spec.rb b/spec/lib/embedded_ansible_spec.rb
index 540f93c3f92..88121025ec9 100644
--- a/spec/lib/embedded_ansible_spec.rb
+++ b/spec/lib/embedded_ansible_spec.rb
@@ -262,10 +262,10 @@
       before do
         expect(described_class).to receive(:configured?).and_return(false)
         expect(described_class).to receive(:configure_secret_key)
-        expect(described_class).to receive(:alive?).and_return(true)
       end
 
       it "generates new passwords with no passwords set" do
+        expect(described_class).to receive(:alive?).and_return(true)
         expect(described_class).to receive(:generate_database_authentication).and_return(double(:userid => "awx", :password => "databasepassword"))
         expect(AwesomeSpawn).to receive(:run!) do |script_path, options|
           params                  = options[:params]
@@ -290,6 +290,7 @@
       end
 
       it "uses the existing passwords when they are set in the database" do
+        expect(described_class).to receive(:alive?).and_return(true)
         miq_database.set_ansible_admin_authentication(:password => "adminpassword")
         miq_database.set_ansible_rabbitmq_authentication(:userid => "rabbituser", :password => "rabbitpassword")
         miq_database.set_ansible_database_authentication(:userid => "databaseuser", :password => "databasepassword")
@@ -312,6 +313,15 @@
 
         described_class.start
       end
+
+      it "removes the secret key from the database when setup fails" do
+        miq_database.ansible_secret_key = "supersecretkey"
+        expect(described_class).to receive(:generate_database_authentication).and_return(double(:userid => "awx", :password => "databasepassword"))
+
+        expect(AwesomeSpawn).to receive(:run!).and_raise(AwesomeSpawn::CommandResultError.new("error", 1))
+        expect { described_class.start }.to raise_error(AwesomeSpawn::CommandResultError)
+        expect(miq_database.reload.ansible_secret_key).not_to be_present
+      end
     end
 
     describe ".generate_database_authentication (private)" do