diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
index 900f7f5b76f6e3ca9bb282df14148f006684bd81..275378d71e83246017f0bdbccd137d0e4a02de31 100644
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -288,6 +288,7 @@ ironic_enabled_notification_topics: "{{ ironic_notification_topics | selectattr(
 ####################
 # Keystone
 ####################
+ironic_enable_keystone_integration: "{{ enable_keystone | bool }}"
 ironic_ks_services:
   - name: "ironic"
     type: "baremetal"
diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2
index f385fdc812393de8bcd4b488c6695f1445df53c0..9b7de4d5c2a6ec6395c5ae3d25801fe62f78d679 100644
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -6,7 +6,7 @@
 # suppressed by the deployer by setting a value for the option.
 
 [DEFAULT]
-{% if not enable_keystone | bool %}
+{% if not ironic_enable_keystone_integration | bool %}
 auth_strategy = noauth
 {% endif %}
 debug = {{ ironic_logging_debug }}
@@ -52,7 +52,7 @@ connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 max_retries = -1
 
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_admin_url }}
@@ -143,7 +143,7 @@ cafile = {{ openstack_cacert }}
 {% endif %}
 
 [inspector]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
@@ -160,7 +160,7 @@ endpoint_override = {{ ironic_inspector_internal_endpoint }}
 {% endif %}
 
 [service_catalog]
-{% if enable_keystone | bool %}
+{% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_admin_url }}
 auth_type = password
 project_domain_id = default
diff --git a/doc/source/reference/bare-metal/ironic-guide.rst b/doc/source/reference/bare-metal/ironic-guide.rst
index 8add19ed963c1342e617d07097913ea3d0a2f8e6..b9c893211c23ffe4a7f51785bfc2b6c621fd662a 100644
--- a/doc/source/reference/bare-metal/ironic-guide.rst
+++ b/doc/source/reference/bare-metal/ironic-guide.rst
@@ -106,6 +106,28 @@ enabled_boot_interfaces`` option in ``/etc/kolla/config/ironic.conf``:
    [DEFAULT]
    enabled_boot_interfaces = ipxe
 
+Attach ironic to external keystone (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In :kolla-ansible-doc:`multi-regional <user/multi-regions.html>` deployment
+keystone could be installed in one region (let's say region 1) and ironic -
+in another region (let's say region 2). In this case we don't install keystone
+together with ironic in region 2, but have to configure ironic to connect to
+existing keystone in region 1. To deploy ironic in this way we have to set
+variable ``enable_keystone`` to ``"no"``.
+
+.. code-block:: yaml
+
+    enable_keystone: "no"
+
+It will prevent keystone from being installed in region 2.
+
+To add keystone-related sections in ironic.conf, it is also needed to set
+variable ``ironic_enable_keystone_integration`` to ``"yes"``
+
+.. code-block:: yaml
+
+    ironic_enable_keystone_integration: "yes"
+
 Deployment
 ~~~~~~~~~~
 Run the deploy as usual:
diff --git a/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml b/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..002f3990e2c55ad56c7ada0b7cc06f3db14e6b40
--- /dev/null
+++ b/releasenotes/notes/update-ironic-template-for-keystone-1ee5f80fda7a21a0.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    New variable ``ironic_enable_keystone_integration`` was added.
+    It helps to add keystone connection information into
+    ``ironic.conf`` if we want to connect to existing keystone
+    (not installing it at the same time).