diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml
index 61d91d765a3b0ed8df31bb94750b34961aea14f5..9b3a0b9d01410aee8c2a9ef24192ef1b711e15d6 100644
--- a/ansible/post-deploy.yml
+++ b/ansible/post-deploy.yml
@@ -32,6 +32,15 @@
         group: "{{ ansible_facts.user_gid }}"
         mode: 0600
 
+    - name: Template out admin-openrc-system.sh
+      become: true
+      template:
+        src: "roles/common/templates/admin-openrc-system.sh.j2"
+        dest: "{{ node_config }}/admin-openrc-system.sh"
+        owner: "{{ ansible_facts.user_uid }}"
+        group: "{{ ansible_facts.user_gid }}"
+        mode: 0600
+
     - name: Template out public-openrc.sh
       become: true
       template:
diff --git a/ansible/roles/common/templates/admin-openrc-system.sh.j2 b/ansible/roles/common/templates/admin-openrc-system.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6b4d95b96977f9b217455599d5aa0da166ec2eaa
--- /dev/null
+++ b/ansible/roles/common/templates/admin-openrc-system.sh.j2
@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+
+# Clear any old environment that may conflict.
+for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
+export OS_USER_DOMAIN_NAME='Default'
+export OS_SYSTEM_SCOPE=all
+export OS_USERNAME='{{ keystone_admin_user }}'
+export OS_PASSWORD='{{ keystone_admin_password }}'
+export OS_AUTH_URL='{{ keystone_internal_url }}'
+export OS_INTERFACE='internal'
+export OS_ENDPOINT_TYPE='internalURL'
+{% if enable_manila | bool %}
+export OS_MANILA_ENDPOINT_TYPE='internalURL'
+{% endif %}
+{% if enable_mistral | bool %}
+export OS_MISTRAL_ENDPOINT_TYPE='internalURL'
+{% endif %}
+export OS_IDENTITY_API_VERSION='3'
+export OS_REGION_NAME='{{ openstack_region_name }}'
+export OS_AUTH_PLUGIN='password'
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
+export OS_CACERT='{{ kolla_admin_openrc_cacert }}'
+{% endif %}
diff --git a/ansible/roles/common/templates/clouds.yaml.j2 b/ansible/roles/common/templates/clouds.yaml.j2
index 574a603f9f7d491b771d7bea45360c873f1741c1..0485bedabfc8d7231014747a8445f811ecad8391 100644
--- a/ansible/roles/common/templates/clouds.yaml.j2
+++ b/ansible/roles/common/templates/clouds.yaml.j2
@@ -10,6 +10,17 @@ clouds:
     region_name: {{ openstack_region_name }}
 {% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
     cacert: {{ kolla_admin_openrc_cacert }}
+{% endif %}
+  kolla-admin-system:
+    auth:
+      auth_url: {{ keystone_public_url }}
+      user_domain_name: Default
+      system_scope: all
+      username: {{ keystone_admin_user }}
+      password: {{ keystone_admin_password }}
+    region_name: {{ openstack_region_name }}
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
+    cacert: {{ kolla_admin_openrc_cacert }}
 {% endif %}
   kolla-admin-internal:
     auth:
@@ -23,4 +34,16 @@ clouds:
     region_name: {{ openstack_region_name }}
 {% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
     cacert: {{ kolla_admin_openrc_cacert }}
+{% endif %}
+  kolla-admin-system-internal:
+    auth:
+      auth_url: {{ keystone_internal_url }}
+      user_domain_name: Default
+      system_scope: all
+      username: {{ keystone_admin_user }}
+      password: {{ keystone_admin_password }}
+    interface: internal
+    region_name: {{ openstack_region_name }}
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
+    cacert: {{ kolla_admin_openrc_cacert }}
 {% endif %}
diff --git a/tests/check-config.sh b/tests/check-config.sh
index f78b7fab9d676a828880f227d8a2b5632ab28705..d1fb7dd9fc4a0fd04f74a5e7f3d8661f7845c96c 100755
--- a/tests/check-config.sh
+++ b/tests/check-config.sh
@@ -23,6 +23,7 @@ function check_config {
                 -not -path /etc/kolla \
                 -not -path /etc/kolla/clouds.yaml \
                 -not -regex .*-openrc.sh \
+                -not -regex .*-openrc-system.sh \
                 -not -name globals.yml \
                 -not -name header \
                 -not -name inventory \
diff --git a/tests/test-ironic.sh b/tests/test-ironic.sh
index 55697fff0932b81e6356633ff3c4dc7c22f2291b..4b011669aa49b65411ee5be1a41a2d1e157e868b 100755
--- a/tests/test-ironic.sh
+++ b/tests/test-ironic.sh
@@ -9,14 +9,16 @@ export PYTHONUNBUFFERED=1
 
 function test_ironic_logged {
     # Assumes init-runonce has been executed.
-    . /etc/kolla/admin-openrc.sh
+    KOLLA_CONFIG_PATH=${KOLLA_CONFIG_PATH:-/etc/kolla}
+    export OS_CLIENT_CONFIG_FILE=${KOLLA_CONFIG_PATH}/clouds.yaml
+    export OS_CLOUD=kolla-admin-internal
     . ~/openstackclient-venv/bin/activate
 
     echo "Enabling DHCP on the external (\"public\") subnet"
     openstack subnet set --dhcp public1-subnet
 
     # Smoke test ironic API.
-    openstack baremetal driver list
+    openstack --os-cloud kolla-admin-system-internal baremetal driver list
     openstack baremetal node list
     openstack baremetal port list
     # Ironic Inspector API