diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst
index e8153efbc..248e3531b 100644
--- a/doc/source/general-roles.rst
+++ b/doc/source/general-roles.rst
@@ -35,6 +35,7 @@ General Purpose Roles
 .. zuul:autorole:: remove-gpgkey
 .. zuul:autorole:: remove-sshkey
 .. zuul:autorole:: render-diff
+.. zuul:autorole:: remove-zuul-sshkey
 .. zuul:autorole:: revoke-sudo
 .. zuul:autorole:: run-dstat
 .. zuul:autorole:: sign-artifacts
diff --git a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
index d4d6db66c..a34d33b05 100644
--- a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
+++ b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
@@ -11,13 +11,8 @@
   include: remote-windows.yaml
   when: ansible_os_family == "Windows"
 
-- name: Remove master key from local agent
-  # The master key has a filename, all others (e.g., per-project keys)
-  # have "(stdin)" as a comment.
-  sshagent_remove_keys:
-    remove: '^(?!\(stdin\)).*'
-  delegate_to: localhost
-  run_once: true
+- import_role:
+    name: remove-zuul-sshkey
 
 - name: Add back temp key
   command: ssh-add {{ zuul_temp_ssh_key }}
diff --git a/roles/remove-zuul-sshkey/README.rst b/roles/remove-zuul-sshkey/README.rst
new file mode 100644
index 000000000..2c2d3d241
--- /dev/null
+++ b/roles/remove-zuul-sshkey/README.rst
@@ -0,0 +1,4 @@
+Remove the zuul ssh key
+
+This role is intended to be run on the Zuul Executor at the start of
+every job to prevent access to public Zuul ssh connection.
diff --git a/roles/add-build-sshkey/__init__.py b/roles/remove-zuul-sshkey/__init__.py
similarity index 100%
rename from roles/add-build-sshkey/__init__.py
rename to roles/remove-zuul-sshkey/__init__.py
diff --git a/roles/add-build-sshkey/library/__init__.py b/roles/remove-zuul-sshkey/library/__init__.py
similarity index 100%
rename from roles/add-build-sshkey/library/__init__.py
rename to roles/remove-zuul-sshkey/library/__init__.py
diff --git a/roles/add-build-sshkey/library/sshagent_remove_keys.py b/roles/remove-zuul-sshkey/library/sshagent_remove_keys.py
similarity index 100%
rename from roles/add-build-sshkey/library/sshagent_remove_keys.py
rename to roles/remove-zuul-sshkey/library/sshagent_remove_keys.py
diff --git a/roles/add-build-sshkey/library/test_sshagent_remove_keys.py b/roles/remove-zuul-sshkey/library/test_sshagent_remove_keys.py
similarity index 100%
rename from roles/add-build-sshkey/library/test_sshagent_remove_keys.py
rename to roles/remove-zuul-sshkey/library/test_sshagent_remove_keys.py
diff --git a/roles/remove-zuul-sshkey/tasks/main.yaml b/roles/remove-zuul-sshkey/tasks/main.yaml
new file mode 100644
index 000000000..e417f5830
--- /dev/null
+++ b/roles/remove-zuul-sshkey/tasks/main.yaml
@@ -0,0 +1,8 @@
+---
+- name: Remove master key from local agent
+  # The master key has a filename, all others (e.g., per-project keys)
+  # have "(stdin)" as a comment.
+  sshagent_remove_keys:
+    remove: '^(?!\(stdin\)).*'
+  delegate_to: localhost
+  run_once: true