diff --git a/README.md b/README.md
index 198d10ed6667569678e9eefe52d099ff34186d1b..89fec1d03385a12d6af8cc3a2dfd4244cafa2310 100644
--- a/README.md
+++ b/README.md
@@ -94,16 +94,12 @@ sops support meaning it will be able to decrypt the values when deploying.
 
 ### Setup
 
-First install the sops client (we need our custom build for now to get barbican support):
+Get the sops client (we need our custom build for now to get barbican support):
 ```bash
 wget https://gitlab.cern.ch/cloud/sops/-/jobs/8834328/artifacts/raw/sops?inline=false
 ```
 
-Then make sure you have your OpenStack environment setup. If you're relying on
-kerberos authentication, you'll need to fetch a token first:
-```bash
-export OS_TOKEN=$(openstack token issue -c id -f value)
-```
+Then make sure you have your OpenStack environment setup.
 
 **Important**: The environment above must match the project owning the Kubernetes cluster where Flux is being deployed
 
@@ -118,6 +114,17 @@ $ export KEY="$(openssl rand -base64 32)\n$(openssl rand -base64 12)"
 $ openstack secret store -s symmetric -p "$(echo -e $KEY)" -n gitops-getting-started
 ```
 
+If you see an error like the one below, unset the `OS_TOKEN` in your
+environment to run `openstack secret`:
+```
+__init__() got an unexpected keyword argument 'token'
+```
+
+If you're relying on kerberos authentication, from here on you'll need to fetch a token first:
+```bash
+export OS_TOKEN=$(openstack token issue -c id -f value)
+```
+
 Check the secret href of the generated secret and pass that to sops:
 ```bash
 sops --barbican https://openstack.cern.ch:9311/v1/secrets/SOMEID \