diff --git a/install.sh b/install.sh
index 714856e..8b4f063 100755
--- a/install.sh
+++ b/install.sh
@@ -1,36 +1,36 @@
 #!/usr/bin/env bash
 set -e
 
 # Pre-pre-flight? 🤷
 if [[ -n "$MSYSTEM" ]]; then
   echo "Seems like you are using an MSYS2-based system (such as Git Bash) which is not supported. Please use WSL instead.";
   exit 1
 fi
 
 source "$(dirname $0)/install/_lib.sh"  # does a `cd .../install/`, among other things
 
 # Pre-flight. No impact yet.
 source parse-cli.sh
 source dc-detect-version.sh
 source error-handling.sh
 source check-latest-commit.sh
 source check-minimum-requirements.sh
 
 # Let's go! Start impacting things.
 source turn-things-off.sh
 source create-docker-volumes.sh
 source ensure-files-from-examples.sh
+source ensure-relay-credentials.sh
 source generate-secret-key.sh
 source replace-tsdb.sh
 source update-docker-images.sh
 source build-docker-images.sh
 source set-up-zookeeper.sh
 source install-wal2json.sh
 source bootstrap-snuba.sh
 source create-kafka-topics.sh
 source upgrade-postgres.sh
 source set-up-and-migrate-database.sh
 source migrate-file-storage.sh
-source relay-credentials.sh
 source geoip.sh
 source wrap-up.sh
diff --git a/install/relay-credentials-test.sh b/install/ensure-relay-credentials-test.sh
similarity index 87%
rename from install/relay-credentials-test.sh
rename to install/ensure-relay-credentials-test.sh
index ea740f3..b153d63 100755
--- a/install/relay-credentials-test.sh
+++ b/install/ensure-relay-credentials-test.sh
@@ -1,24 +1,24 @@
 #!/usr/bin/env bash
 source "$(dirname $0)/_test_setup.sh"
 
 cfg="../relay/config.yml"
 creds="../relay/credentials.json"
 
 # Relay files don't exist in a clean clone.
 test ! -f $cfg
 test ! -f $creds
 
 # Running the install script adds them.
-source relay-credentials.sh
+source ensure-relay-credentials.sh
 test -f $cfg
 test -f $creds
 test "$(jq -r 'keys[2]' $creds)" = "secret_key"
 
 # If the files exist we don't touch it.
 echo GARBAGE > $cfg
 echo MOAR GARBAGE > $creds
-source relay-credentials.sh
+source ensure-relay-credentials.sh
 test "$(cat $cfg)" = "GARBAGE"
 test "$(cat $creds)" = "MOAR GARBAGE"
 
 report_success
diff --git a/install/ensure-relay-credentials.sh b/install/ensure-relay-credentials.sh
new file mode 100644
index 0000000..62388eb
--- /dev/null
+++ b/install/ensure-relay-credentials.sh
@@ -0,0 +1,34 @@
+echo "${_group}Ensuring Relay credentials ..."
+
+RELAY_CONFIG_YML="../relay/config.yml"
+RELAY_CREDENTIALS_JSON="../relay/credentials.json"
+
+ensure_file_from_example $RELAY_CONFIG_YML
+
+if [[ -f "$RELAY_CREDENTIALS_JSON" ]]; then
+  echo "$RELAY_CREDENTIALS_JSON already exists, skipped creation."
+else
+
+  # There are a couple gotchas here:
+  #
+  # 1. We need to use a tmp file because if we redirect output directly to
+  #    credentials.json, then the shell will create an empty file that relay
+  #    will then try to read from (regardless of options such as --stdout or
+  #    --overwrite) and fail because it is empty.
+  #
+  # 2. We need to use -T to avoid additional garbage output cluttering
+  #    credentials.json under Docker Compose 1.x and 2.2.3+. Note that the
+  #    long opt --no-tty doesn't exist in Docker Compose 1.
+
+  creds="$dcr --no-deps -T relay credentials"
+  $creds generate --stdout > "$RELAY_CREDENTIALS_JSON".tmp
+  mv "$RELAY_CREDENTIALS_JSON".tmp "$RELAY_CREDENTIALS_JSON"
+  if ! grep -q Credentials <($creds show); then
+    # Let's fail early if creds failed, to make debugging easier.
+    echo "Failed to create relay credentials in $RELAY_CREDENTIALS_JSON."
+    exit 1
+  fi
+  echo "Relay credentials written to $RELAY_CREDENTIALS_JSON."
+fi
+
+echo "${_endgroup}"