sensu · hillaryfraley · Feb 25, 2020 · Feb 25, 2020 · Feb 25, 2020 · Feb 25, 2020
diff --git a/content/sensu-go/5.18/guides/clustering.md b/content/sensu-go/5.18/guides/clustering.md
@@ -258,11 +258,44 @@ See [Secure Sensu][16] for information about cluster security.
 
 ## Use an external etcd cluster
 
-To use Sensu with an external etcd cluster, you must have etcd 3.3.2 or newer.
-To stand up an external etcd cluster, follow etcd's [clustering guide][2] using the same store configuration.
+Using Sensu with an external etcd cluster requires etcd 3.3.2 or newer but is not compatible with etcd 3.4.0 or newer.
+Follow etcd's [clustering guide][2] using the same store configuration to stand up an external etcd cluster.
 
-In this example, you will enable client-to-server and peer communication authentication [using self-signed TLS certificates][13].
-To start etcd for `backend-1` based on the [three-node configuration example][19]:
+To initialize a backend that uses etcd authentication, configure read and write access to the `/sensu.io/` key space for your users:
+{{< highlight shell >}}
+# Add the sensu user (you will receive an interactive prompt for the password)
+etcdctl user add sensu
+# Create a role
+etcdctl role add sensu_readwrite
+# Give that role permission to read and write under the /sensu.io/ keyspace
+etcdctl role grant-permission sensu_readwrite readwrite --from-key '/sensu.io/'
+# Grant the sensu user the role
+etcdctl user grant-role sensu sensu_readwrite
+{{< /highlight >}}
+
+To double-check that the grant is configured correctly, run:
+
+{{< highlight shell >}}
+/opt/etcd/etcdctl user get USERNAME --detail
+{{< /highlight >}}
+
+The output should be:
+
+{{< highlight shell >}}
+User: USERNAME
+
+Role sensu_readwrite
+KV Read:
+	[/sensu.io/, <open ended>
+KV Write:
+	[/sensu.io/, <open ended>
+{{< /highlight >}}
+
+
+Etcd does not enable authentication by default, so additional configuration may be needed before etcd will enforce these controls.
+See the [etcd operators documentation][12] for details.
+
+To enable client-to-server and peer communication authentication [using self-signed TLS certificates][13], start etcd for `backend-1` based on the [three-node configuration example][19]:
 
 {{< highlight shell >}}
 etcd \
@@ -286,11 +319,10 @@ etcd \
 {{< /highlight >}}
 
 {{% notice note %}}
-**NOTE**: The `auto-compaction-mode` and `auto-compaction-retention` flags are important.
-Without these settings, your database may quickly reach etcd's maximum database size limit.
+**NOTE**: Without the `auto-compaction-mode` and `auto-compaction-retention` flags, your database may quickly reach etcd's maximum database size limit.
 {{% /notice %}}
 
-To tell Sensu to use this external etcd data source, add the `sensu-backend` flag `--no-embed-etcd` to the original configuration, along with the path to a client certificate created using your CA:
+Next, tell Sensu to use this external etcd data source by adding the `sensu-backend` flag `--no-embed-etcd` to the original configuration and the path to a client certificate created using your CA:
 
 {{< highlight shell >}}
 sensu-backend start \
@@ -323,7 +355,7 @@ See the [etcd recovery guide][9] for disaster recovery information.
 [10]: https://github.com/cloudflare/cfssl
 [11]: https://etcd.io/docs/v3.4.0/op-guide/clustering/#self-signed-certificates
 [12]: https://etcd.io/docs/v3.4.0/op-guide/
-[13]: ../../guides/generate-certificates/
+[13]: ../generate-certificates/
 [15]: ../../reference/backend/
 [16]: ../securing-sensu/
 [17]: ../../sensuctl/reference/