diff --git a/files/keystone.conf b/files/keystone.conf
index 0ee08279d5..3167c0f455 100644
--- a/files/keystone.conf
+++ b/files/keystone.conf
@@ -37,7 +37,7 @@ driver = keystone.token.backends.kvs.Token
 driver = keystone.policy.backends.simple.SimpleMatch
 
 [ec2]
-driver = keystone.contrib.ec2.backends.kvs.Ec2
+driver = keystone.contrib.ec2.backends.sql.Ec2
 
 [filter:debug]
 paste.filter_factory = keystone.common.wsgi:Debug.factory
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index 35eaa5dd12..39952b16c6 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -98,6 +98,25 @@ if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
                                      "description=Swift Service"
 fi
 
+# create ec2 creds and parse the secret and access key returned
+RESULT=`$BIN_DIR/keystone-manage ec2 create user_id=$ADMIN_USER tenant_id=$ADMIN_TENANT`
+ADMIN_ACCESS=`echo $RESULT | python -c "import sys; import json; result = json.loads(sys.stdin.read()); print result['access'];"`
+ADMIN_SECRET=`echo $RESULT | python -c "import sys; import json; result = json.loads(sys.stdin.read()); print result['secret'];"`
+
+
+RESULT=`$BIN_DIR/keystone-manage ec2 create user_id=$DEMO_USER tenant_id=$DEMO_TENANT`
+DEMO_ACCESS=`echo $RESULT | python -c "import sys; import json; result = json.loads(sys.stdin.read()); print result['access'];"`
+DEMO_SECRET=`echo $RESULT | python -c "import sys; import json; result = json.loads(sys.stdin.read()); print result['secret'];"`
+
+# write the secret and access to ec2rc
+cat > $DEVSTACK_DIR/ec2rc <<EOF
+ADMIN_ACCESS=$ADMIN_ACCESS
+ADMIN_SECRET=$ADMIN_SECRET
+DEMO_ACCESS=$DEMO_ACCESS
+DEMO_SECRET=$DEMO_SECRET
+EOF
+
+
 #endpointTemplates
 #$BIN_DIR/keystone-manage $* endpointTemplates add \
 #      RegionOne nova
@@ -130,8 +149,3 @@ fi
 # Tokens
 #$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00
 
-# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD
-# but keystone doesn't parse them - it is just a blob from keystone's
-# point of view
-#$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"
-#$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"
diff --git a/openrc b/openrc
index 4c4b1d31fa..c05bf6535a 100644
--- a/openrc
+++ b/openrc
@@ -56,10 +56,10 @@ export NOVA_REGION_NAME=${NOVA_REGION_NAME:-RegionOne}
 export EC2_URL=${EC2_URL:-http://$SERVICE_HOST:8773/services/Cloud}
 
 # Access key is set in the initial keystone data to be the same as username
-export EC2_ACCESS_KEY=${USERNAME:-demo}
+export EC2_ACCESS_KEY=${DEMO_ACCESS}
 
 # Secret key is set in the initial keystone data to the admin password
-export EC2_SECRET_KEY=${ADMIN_PASSWORD:-secrete}
+export EC2_SECRET_KEY=${DEMO_SECRET}
 
 # Euca2ools Certificate stuff for uploading bundles
 # You can get your certs using ./tools/get_certs.sh
diff --git a/stack.sh b/stack.sh
index cedf597f06..8421c3c23a 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1398,7 +1398,7 @@ if [[ "$ENABLED_SERVICES" =~ "key" ]]; then
     # initialize keystone with default users/endpoints
     pushd $KEYSTONE_DIR
     $KEYSTONE_DIR/bin/keystone-manage db_sync
-    ENABLED_SERVICES=$ENABLED_SERVICES BIN_DIR=$KEYSTONE_DIR/bin bash $KEYSTONE_DATA
+    DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES BIN_DIR=$KEYSTONE_DIR/bin bash $KEYSTONE_DATA
     popd
 fi
 
diff --git a/stackrc b/stackrc
index c9acdbeef6..d30bf6679f 100644
--- a/stackrc
+++ b/stackrc
@@ -76,6 +76,11 @@ case "$LIBVIRT_TYPE" in
         IMAGE_URLS="http://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-x86_64-uec.tar.gz";;
 esac
 
+# use stored ec2 env variables
+if [ -f ./ec2rc ]; then
+    source ./ec2rc
+fi
+
 # allow local overrides of env variables
 if [ -f ./localrc ]; then
     source ./localrc