diff --git a/hooks/keystone_hooks.py b/hooks/keystone_hooks.py
index 5227cca1..5d89707f 100755
--- a/hooks/keystone_hooks.py
+++ b/hooks/keystone_hooks.py
@@ -406,7 +406,12 @@ def db_changed():
     if 'shared-db' not in CONFIGS.complete_contexts():
         log('shared-db relation incomplete. Peer not ready?')
     else:
-        CONFIGS.write(KEYSTONE_CONF)
+        # here we may need to restart keystone's apache2 if the database
+        # password has been rotated as otherwise the
+        # `update_all_identity_related_units()` function will fail as it need
+        # to use keystone to check the database.
+        _maybe_config_updated()
+
         leader_init_db_if_ready(use_current_context=True)
         if CompareOpenStackReleases(
                 os_release('keystone')) >= 'liberty':
@@ -415,6 +420,13 @@ def db_changed():
         inform_peers_if_ready(check_api_unit_ready)
 
 
+@restart_on_change(restart_map(),
+                   restart_functions=restart_function_map())
+def _maybe_config_updated():
+    """Restart the keystone service is the configs have been updated."""
+    CONFIGS.write(KEYSTONE_CONF)
+
+
 @hooks.hook('shared-db-relation-departed',
             'shared-db-relation-broken')
 def db_departed_or_broken():