diff --git a/config_tempest/services/object_storage.py b/config_tempest/services/object_storage.py
index 04c6f6a2..277825c5 100644
--- a/config_tempest/services/object_storage.py
+++ b/config_tempest/services/object_storage.py
@@ -1,4 +1,4 @@
-# Copyright 2016 Red Hat, Inc.
+# Copyright 2016, 2018 Red Hat, Inc.
 # All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -16,6 +16,8 @@
 import json
 
 from base import Service
+from config_tempest.constants import LOG
+from tempest.lib import exceptions
 
 
 class ObjectStorageService(Service):
@@ -29,3 +31,18 @@ class ObjectStorageService(Service):
             # Remove Swift general information from extensions list
             body.pop('swift')
             self.extensions = body.keys()
+
+    def list_create_roles(self, conf, client):
+        try:
+            roles = client.list_roles()['roles']
+        except exceptions.Forbidden:
+            LOG.info("Roles can't be listed - the user needs permissions.")
+            return
+
+        for section_key in ["operator_role", "reseller_admin"]:
+            key_value = conf.get_defaulted("object-storage", section_key)
+            if key_value not in [r['name'] for r in roles]:
+                LOG.info("Creating %s role", key_value)
+                client.create_role(name=key_value)
+
+            conf.set("object-storage", section_key, key_value)
diff --git a/config_tempest/services/services.py b/config_tempest/services/services.py
index 3e1bd0f8..a608e6df 100644
--- a/config_tempest/services/services.py
+++ b/config_tempest/services/services.py
@@ -202,6 +202,15 @@ class Services(object):
                                            self._clients.volume_client,
                                            self.is_service("volumev3"))
 
+        # query the config for swift availability and get the current value
+        # in case, it was overridden in CLI
+        swift_default = self._conf.get_bool_value(
+            self._conf.get_defaulted('service_available', 'swift')
+        )
+        if self.is_service('object-store') and swift_default:
+            object_storage = self.get_service('object-store')
+            object_storage.list_create_roles(self._conf, self._clients.roles)
+
         ceilometer.check_ceilometer_service(self._conf,
                                             self._clients.service_client)
 
diff --git a/config_tempest/tests/base.py b/config_tempest/tests/base.py
index 5a1079b7..ffc1d6b3 100644
--- a/config_tempest/tests/base.py
+++ b/config_tempest/tests/base.py
@@ -200,6 +200,17 @@ class BaseServiceTest(base.BaseTestCase):
             }
         }
     )
+    FAKE_ROLES = (
+        {
+            "roles": [
+                {
+                    "name": "ResellerAdmin",
+                    "id": "2b4df7a671a443d741c62b4df7a671a443d741c6",
+                    "domain_id": None
+                }
+            ]
+        }
+    )
 
     class FakeRequestResponse(object):
         URL = 'https://docs.openstack.org/api/openstack-identity/3/ext/'
diff --git a/config_tempest/tests/services/test_object_storage.py b/config_tempest/tests/services/test_object_storage.py
index 19b6825e..5f5e6e99 100644
--- a/config_tempest/tests/services/test_object_storage.py
+++ b/config_tempest/tests/services/test_object_storage.py
@@ -13,7 +13,11 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import mock
+
+from config_tempest import constants as C
 from config_tempest.services.object_storage import ObjectStorageService
+from config_tempest import tempest_conf
 from config_tempest.tests.base import BaseServiceTest
 
 
@@ -35,3 +39,19 @@ class TestObjectStorageService(BaseServiceTest):
         self.Service.set_extensions()
         self.assertItemsEqual(self.Service.extensions, [])
         self.assertItemsEqual(self.Service.get_extensions(), [])
+
+    def test_list_create_roles(self):
+        conf = tempest_conf.TempestConf()
+        # TODO(mkopec) remove reading of default file when it's removed
+        conf.read(C.DEFAULTS_FILE)
+        client = mock.Mock()
+        return_mock = mock.Mock(return_value=self.FAKE_ROLES)
+        client.list_roles = return_mock
+        client.create_role = mock.Mock()
+        self.Service.list_create_roles(conf, client)
+        self.assertEqual(conf.get('object-storage', 'reseller_admin'),
+                         'ResellerAdmin')
+        # Member role is inherited from tempest.config
+        self.assertEqual(conf.get('object-storage', 'operator_role'),
+                         'Member')
+        self.assertTrue(client.create_role.called)
diff --git a/etc/default-overrides.conf b/etc/default-overrides.conf
index 599728c0..48963127 100644
--- a/etc/default-overrides.conf
+++ b/etc/default-overrides.conf
@@ -72,13 +72,9 @@ admin_domain_name=Default
 disable_ssl_certificate_validation=true
 
 [object-storage]
-
-# Role to add to users created for swift tests to enable
-# creating containers (string value)
-operator_role=SwiftOperator
-
-# User role that has reseller admin (string value)
-#reseller_admin_role=ResellerAdmin $$$ DEPLOY
+# default-overrides.conf file will be removed soon, this value will be
+# moved to load_basic_defaults method in config_tempest/main.py
+reseller_admin = ResellerAdmin
 
 [data-processing]