diff --git a/ansible/roles/octavia/defaults/main.yml b/ansible/roles/octavia/defaults/main.yml
index e0b04d54775686dce9156b239aadc6ccc58071e6..0e03c02665c5ef793b0879d5baf5b6d28998e2fc 100644
--- a/ansible/roles/octavia/defaults/main.yml
+++ b/ansible/roles/octavia/defaults/main.yml
@@ -123,6 +123,10 @@ octavia_logging_debug: "{{ openstack_logging_debug }}"
 
 octavia_keystone_user: "octavia"
 
+# Project that Octavia will use to interact with other services.  Note that in
+# Train and earlier releases this was "admin".
+octavia_service_auth_project: "service"
+
 openstack_octavia_auth: "{{ openstack_auth }}"
 
 ####################
diff --git a/ansible/roles/octavia/tasks/register.yml b/ansible/roles/octavia/tasks/register.yml
index 39a0bc577b9fc80a3879ee9fe496e028b4265114..a2e75d4698b6833fee9e7fd581adcffc3ee31dcb 100644
--- a/ansible/roles/octavia/tasks/register.yml
+++ b/ansible/roles/octavia/tasks/register.yml
@@ -7,6 +7,20 @@
     service_ks_register_users: "{{ octavia_ks_users }}"
   tags: always
 
+- name: "Adding admin role to octavia user in {{ octavia_service_auth_project }} project"
+  become: true
+  kolla_toolbox:
+    module_name: "os_user_role"
+    module_args:
+      user: "{{ octavia_keystone_user }}"
+      role: admin
+      project: "{{ octavia_service_auth_project }}"
+      auth: "{{ openstack_octavia_auth }}"
+      endpoint_type: "{{ openstack_interface }}"
+      cacert: "{{ openstack_cacert }}"
+  run_once: True
+  when: octavia_service_auth_project != 'service'
+
 - name: Adding octavia related roles
   become: true
   kolla_toolbox:
diff --git a/ansible/roles/octavia/templates/octavia.conf.j2 b/ansible/roles/octavia/templates/octavia.conf.j2
index 128c695d43128e16320e0e8c35b0e11bc09cbb6c..d59e1cd02fc35046ca20333bbb877aa9fdc05072 100644
--- a/ansible/roles/octavia/templates/octavia.conf.j2
+++ b/ansible/roles/octavia/templates/octavia.conf.j2
@@ -33,7 +33,7 @@ auth_type = password
 username = {{ octavia_keystone_user }}
 password = {{ octavia_keystone_password }}
 user_domain_name = {{ default_user_domain_name }}
-project_name = {{ openstack_auth.project_name }}
+project_name = {{ octavia_service_auth_project }}
 project_domain_name = {{ default_project_domain_name }}
 cafile = {{ openstack_cacert }}
 
diff --git a/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml b/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
index 63b69524f3dc9dec396e9c874a80e60b949dcfaf..0c7bfde5aab4b75823ba083cf671440608102c7b 100644
--- a/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
+++ b/releasenotes/notes/remove-octavia-user-in-admin-project-action-95c87ca45a1188d6.yaml
@@ -3,7 +3,20 @@ upgrade:
   - |
     The octavia user is no longer given the admin role in the admin
     project. Octavia does not require this role and instead uses octavia
-    user with admin role in service project. During an upgrade the octavia
-    user is removed from the admin project. See
-    `bug 1873176 <https://bugs.launchpad.net/kolla-ansible/+bug/1873176>`__
+    user with admin role in service project. During an upgrade the octavia user
+    is removed from the admin project.
+
+    For existing deployments this may cause problems, so a
+    ``octavia_service_auth_project`` variable has been added which may be set
+    to ``admin`` to return to the previous behaviour.
+
+    To switch an existing deployment from using the ``admin`` project to the
+    ``service`` project, it will at least be necessary to create the required
+    security group in the ``service`` project, and update
+    ``octavia_amp_secgroup_list`` to this group's ID. Ideally the Amphora
+    flavor and network would also be recreated in the ``service`` project,
+    although this does not appear to be necessary for operation, and will
+    impact existing Amphorae.
+
+    See `bug 1873176 <https://bugs.launchpad.net/kolla-ansible/+bug/1873176>`__
     for details.