diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
index 361d3961f2818f060339c3e55ca6d7aee16b5f39..dbeb27389ce3a1ea1d443c8b9772268b7adbda51 100644
--- a/ansible/roles/cinder/defaults/main.yml
+++ b/ansible/roles/cinder/defaults/main.yml
@@ -346,6 +346,11 @@ cinder_ks_users:
password: "{{ cinder_keystone_password }}"
role: "admin"
+cinder_ks_user_roles:
+ - project: "service"
+ user: "{{ cinder_keystone_user }}"
+ role: "service"
+
####################
# TLS
####################
diff --git a/ansible/roles/cinder/tasks/register.yml b/ansible/roles/cinder/tasks/register.yml
index 86511bc41122b1f2dfb06ab81091d57eb4f28780..d090b30d8eaf9a79df5773e6152b93a711768c22 100644
--- a/ansible/roles/cinder/tasks/register.yml
+++ b/ansible/roles/cinder/tasks/register.yml
@@ -5,3 +5,4 @@
service_ks_register_auth: "{{ openstack_cinder_auth }}"
service_ks_register_services: "{{ cinder_ks_services }}"
service_ks_register_users: "{{ cinder_ks_users }}"
+ service_ks_register_user_roles: "{{ cinder_ks_user_roles }}"
diff --git a/ansible/roles/cinder/tasks/upgrade.yml b/ansible/roles/cinder/tasks/upgrade.yml
index a402d547c115e56ca3892d197800f112fe31cdad..e12f771598592762b8733abe3ffb4d09d19f8bac 100644
--- a/ansible/roles/cinder/tasks/upgrade.yml
+++ b/ansible/roles/cinder/tasks/upgrade.yml
@@ -10,6 +10,13 @@
- import_tasks: check-containers.yml
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+ name: service-ks-register
+ vars:
+ service_ks_register_auth: "{{ openstack_cinder_auth }}"
+ service_ks_register_user_roles: "{{ cinder_ks_user_roles }}"
+
- name: Flush handlers
meta: flush_handlers
diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index 69cde541a3defd8f592f55a9d5c4d62d5795c833..9f074d1bafa0d8f3e567a55255e8338b5e399fde 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -116,7 +116,6 @@ service_type = volume
# see: https://security.openstack.org/ossa/OSSA-2023-003.html
# and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting
service_token_roles_required = true
-service_token_roles = admin
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_internal_url }}
auth_type = password
diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index e8cfcb5b07658bd54e4096d233b6ee17803aca77..444603ddee7aea752c6f32012018b40475eccd2d 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -247,6 +247,11 @@ nova_ks_users:
password: "{{ nova_keystone_password }}"
role: "admin"
+nova_ks_user_roles:
+ - project: "service"
+ user: "{{ nova_keystone_user }}"
+ role: "service"
+
####################
# Notification
####################
diff --git a/ansible/roles/nova/tasks/register.yml b/ansible/roles/nova/tasks/register.yml
index a9c7cfaf61fc9dc4985d05187a945f1059cc9dc7..c902fec305ce8b5fee91c6980eae07366c234a8c 100644
--- a/ansible/roles/nova/tasks/register.yml
+++ b/ansible/roles/nova/tasks/register.yml
@@ -5,3 +5,4 @@
service_ks_register_auth: "{{ openstack_nova_auth }}"
service_ks_register_services: "{{ nova_ks_services }}"
service_ks_register_users: "{{ nova_ks_users }}"
+ service_ks_register_user_roles: "{{ nova_ks_user_roles }}"
diff --git a/ansible/roles/nova/tasks/upgrade.yml b/ansible/roles/nova/tasks/upgrade.yml
index 88fdb63c5e791cc4fe502fb6f3d177efe7dd1a79..f60489f4a0e00eaa864166d18c9298350dd00163 100644
--- a/ansible/roles/nova/tasks/upgrade.yml
+++ b/ansible/roles/nova/tasks/upgrade.yml
@@ -1,4 +1,11 @@
---
+# TODO(bbezak): Remove this task in the Dalmatian cycle.
+- import_role:
+ name: service-ks-register
+ vars:
+ service_ks_register_auth: "{{ openstack_nova_auth }}"
+ service_ks_register_user_roles: "{{ nova_ks_user_roles }}"
+
- name: Run Nova upgrade checks
become: true
vars: