diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml
index a57504f91b..3f499ff926 100644
--- a/playbooks/roles/static/tasks/main.yaml
+++ b/playbooks/roles/static/tasks/main.yaml
@@ -8,6 +8,12 @@
     that:
       - afs_root.stat.exists
 
+- name: Install zuul user
+  include_role:
+    name: zuul-user
+  vars:
+    zuul_user_enable_sudo: True
+
 - name: Install apache2
   apt:
     name:
@@ -71,6 +77,3 @@
     - 50-tarballs.opendev.org
     - 50-tarballs.openstack.org
     - 50-zuul-ci.org
-
-- name: Install zuul user
-  include_tasks: zuul.yaml
\ No newline at end of file
diff --git a/playbooks/roles/zuul-user/README.rst b/playbooks/roles/zuul-user/README.rst
new file mode 100644
index 0000000000..7d50612520
--- /dev/null
+++ b/playbooks/roles/zuul-user/README.rst
@@ -0,0 +1,11 @@
+zuul user
+
+Install a user ``zuul`` that has the per-project key from
+``system-config`` as an ``authorized_key``.
+
+**Role Variables**
+
+.. zuul:rolevar:: zuul_user_enable_sudo
+   :default: False
+
+   Enable passwordless ``sudo`` access for the zuul user.
diff --git a/playbooks/roles/zuul-user/defaults/main.yaml b/playbooks/roles/zuul-user/defaults/main.yaml
new file mode 100644
index 0000000000..993dcd6c72
--- /dev/null
+++ b/playbooks/roles/zuul-user/defaults/main.yaml
@@ -0,0 +1 @@
+zuul_user_enable_sudo: False
\ No newline at end of file
diff --git a/playbooks/roles/static/files/zuul.sudo b/playbooks/roles/zuul-user/files/zuul.sudo
similarity index 100%
rename from playbooks/roles/static/files/zuul.sudo
rename to playbooks/roles/zuul-user/files/zuul.sudo
diff --git a/playbooks/roles/static/tasks/zuul.yaml b/playbooks/roles/zuul-user/tasks/main.yaml
similarity index 83%
rename from playbooks/roles/static/tasks/zuul.yaml
rename to playbooks/roles/zuul-user/tasks/main.yaml
index beb2d5b780..77acb9f159 100644
--- a/playbooks/roles/static/tasks/zuul.yaml
+++ b/playbooks/roles/zuul-user/tasks/main.yaml
@@ -11,6 +11,7 @@
     owner: root
     group: root
     mode: 0440
+  when: zuul_user_enable_sudo
 
 - name: Install system-config per-project key for zuul
   authorized_key:
@@ -18,3 +19,4 @@
     state: present
     key: |
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h'
+    comment: Zuul key from http://zuul.opendev.org/api/tenant/openstack/project-ssh-key/opendev/system-config.pub at 2020-02-26
\ No newline at end of file