diff --git a/docker/common/heat/heat-base/config-heat.sh b/docker/common/heat/heat-base/config-heat.sh
index 449fbd9980ee4df592197b9cd2e1d1872d230a61..9275e5645a0ba99636c90dc6c7696c10298b196e 100755
--- a/docker/common/heat/heat-base/config-heat.sh
+++ b/docker/common/heat/heat-base/config-heat.sh
@@ -17,7 +17,8 @@ set -e
 check_required_vars HEAT_DB_PASSWORD HEAT_KEYSTONE_PASSWORD \
                     HEAT_API_CFN_URL_HOST HEAT_API_CFN_SERVICE_PORT \
                     KEYSTONE_PUBLIC_SERVICE_HOST KEYSTONE_PUBLIC_SERVICE_PORT \
-                    RABBITMQ_SERVICE_HOST MARIADB_SERVICE_HOST
+                    RABBITMQ_SERVICE_HOST MARIADB_SERVICE_HOST \
+                    HEAT_DOMAIN_PASS
 
 fail_unless_db
 dump_vars
@@ -67,3 +68,10 @@ crudini --set /etc/heat/heat.conf DEFAULT heat_metadata_server_url \
     http://${HEAT_API_CFN_URL_HOST}:${HEAT_API_CFN_SERVICE_PORT}
 crudini --set /etc/heat/heat.conf DEFAULT heat_waitcondition_server_url \
     http://${HEAT_API_CFN_URL_HOST}:${HEAT_API_CFN_SERVICE_PORT}/v1/waitcondition
+
+crudini --set /etc/heat/heat.conf DEFAULT stack_domain_admin \
+    "heat_domain_admin"
+crudini --set /etc/heat/heat.conf DEFAULT stack_domain_admin_password \
+    "${HEAT_DOMAIN_PASS}"
+crudini --set /etc/heat/heat.conf DEFAULT stack_user_domain_name \
+    "heat_user_domain"
diff --git a/docker/common/heat/heat-engine/start.sh b/docker/common/heat/heat-engine/start.sh
index 531b6937523053cc8b2fc91fd05963e9fcd738d0..16453a3bed4f935f762c711e86329e64e59070fd 100755
--- a/docker/common/heat/heat-engine/start.sh
+++ b/docker/common/heat/heat-engine/start.sh
@@ -4,7 +4,7 @@
 . /opt/kolla/config-heat.sh
 
 check_required_vars HEAT_DB_NAME HEAT_DB_USER HEAT_DB_PASSWORD \
-                    INIT_HEAT_DB
+                    INIT_HEAT_DB HEAT_DOMAIN_PASS
 fail_unless_db
 
 if [ "${INIT_HEAT_DB}" == "true" ]; then
@@ -15,6 +15,13 @@ GRANT ALL PRIVILEGES ON ${HEAT_DB_NAME}.* TO
 EOF
 
     /usr/bin/heat-manage db_sync
+
+    # If the database needs to be created, assume keystone-setup is allowed to
+    # run as well.
+    heat-keystone-setup-domain \
+        --stack-user-domain-name heat_user_domain \
+        --stack-domain-admin heat_domain_admin \
+        --stack-domain-admin-password ${HEAT_DOMAIN_PASS}
 fi
 
 exec /usr/bin/heat-engine
diff --git a/docs/integration-guide.md b/docs/integration-guide.md
index 122f028670b9c8f4d21bba8b507ac0d95c194470..884d74f22ad722c0c3874a3c922f18da61317b3d 100755
--- a/docs/integration-guide.md
+++ b/docs/integration-guide.md
@@ -112,6 +112,7 @@ all containers.  This allows a simple method of ensuring every type of node
     HEAT_API_SERVICE_HOST=<IP> - The IP Address where the Heat API service is hosted
     HEAT_API_CFN_SERVICE_HOST=<IP> - The IP Address where Heat users will contact the heat-engine in search for meta data
     HEAT_API_CFN_URL_HOST=<IP> - The IP Address where Heat virtual machines will contact the heat-engine to signal wait conditions
+    HEAT_DOMAIN_PASS=<password> - The Heat domain password
     INIT_CINDER_DB=<true|false> - Initialize or update the Cinder db
     INIT_DESIGNATE_DB=<true|false> - Initialize or update the Designate db
     INIT_GLANCE_DB=<true|false> - Initialize or update the Glance db
diff --git a/tools/genenv b/tools/genenv
index b908d951b7fc4d7d66d6910f11afeb699867710d..fdb1920001eab453ee8f1d81adc636e8ea880c88 100755
--- a/tools/genenv
+++ b/tools/genenv
@@ -142,6 +142,7 @@ HEAT_API_SERVICE_HOST=$HOST_IP
 HEAT_API_CFN_SERVICE_HOST=$HOST_IP
 HEAT_API_CFN_SERVICE_PORT=8000
 HEAT_API_CFN_URL_HOST=$HOST_IP
+HEAT_DOMAIN_PASS=$(openssl rand -hex 8)
 
 # Magnum
 MAGNUM_DB_NAME=magnum
@@ -290,6 +291,7 @@ HEAT_API_SERVICE_HOST=$HEAT_API_SERVICE_HOST
 HEAT_API_CFN_SERVICE_HOST=$HEAT_API_CFN_SERVICE_HOST
 HEAT_API_CFN_SERVICE_PORT=$HEAT_API_CFN_SERVICE_PORT
 HEAT_API_CFN_URL_HOST=$HEAT_API_CFN_URL_HOST
+HEAT_DOMAIN_PASS=$HEAT_DOMAIN_PASS
 MAGNUM_DB_NAME=$MAGNUM_DB_NAME
 MAGNUM_DB_PASSWORD=$MAGNUM_DB_PASSWORD
 MAGNUM_KEYSTONE_PASSWORD=$MAGNUM_KEYSTONE_PASSWORD