diff --git a/lib/cinder b/lib/cinder
index aef6854062..aafd837c95 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -303,15 +303,6 @@ function configure_cinder {
 
     cp $CINDER_DIR/etc/cinder/api-paste.ini $CINDER_API_PASTE_INI
 
-    inicomment $CINDER_API_PASTE_INI filter:authtoken auth_host
-    inicomment $CINDER_API_PASTE_INI filter:authtoken auth_port
-    inicomment $CINDER_API_PASTE_INI filter:authtoken auth_protocol
-    inicomment $CINDER_API_PASTE_INI filter:authtoken cafile
-    inicomment $CINDER_API_PASTE_INI filter:authtoken admin_tenant_name
-    inicomment $CINDER_API_PASTE_INI filter:authtoken admin_user
-    inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password
-    inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir
-
     configure_keystone_authtoken_middleware $CINDER_CONF cinder
 
     iniset $CINDER_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
@@ -423,7 +414,7 @@ function configure_cinder {
     configure_keystone_authtoken_middleware $CINDER_CONF glance glance
 
     # Set nova credentials (used for os-assisted-snapshots)
-    configure_keystone_authtoken_middleware $CINDER_CONF nova nova
+    configure_keystoneauth $CINDER_CONF nova nova
     iniset $CINDER_CONF nova region_name "$REGION_NAME"
     iniset $CINDER_CONF DEFAULT graceful_shutdown_timeout "$SERVICE_GRACEFUL_SHUTDOWN_TIMEOUT"
 
@@ -733,8 +724,8 @@ function configure_cinder_volume_upload {
 }
 
 function init_cinder_service_user_conf {
-    configure_keystone_authtoken_middleware $CINDER_CONF cinder service_user
     iniset $CINDER_CONF service_user send_service_user_token True
+    configure_keystoneauth $CINDER_CONF cinder service_user
 }
 
 # Restore xtrace
diff --git a/lib/keystone b/lib/keystone
index 241909cb9d..4a2d7a9f6c 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -421,9 +421,27 @@ function create_service_user {
     fi
 }
 
+# Configure options for keystoneauth
+#
+# configure_keystoneauth conf_file admin_user section
+function configure_keystoneauth {
+    local conf_file=$1
+    local admin_user=$2
+    local section=$3
+
+    iniset $conf_file $section auth_type password
+    iniset $conf_file $section interface public
+    iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI
+    iniset $conf_file $section username $admin_user
+    iniset $conf_file $section password $SERVICE_PASSWORD
+    iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
+    iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
+    iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
+}
+
 # Configure a service to use the auth token middleware.
 #
-# configure_keystone_authtoken_middleware conf_file admin_user IGNORED [section]
+# configure_keystone_authtoken_middleware conf_file admin_user [section]
 #
 # section defaults to keystone_authtoken, which is where auth_token looks in
 # the .conf file. If the paste config file is used (api-paste.ini) then
@@ -434,15 +452,7 @@ function configure_keystone_authtoken_middleware {
     local section=${3:-keystone_authtoken}
     local service_type=$4
 
-    iniset $conf_file $section auth_type password
-    iniset $conf_file $section interface public
-    iniset $conf_file $section auth_url $KEYSTONE_SERVICE_URI
-    iniset $conf_file $section username $admin_user
-    iniset $conf_file $section password $SERVICE_PASSWORD
-    iniset $conf_file $section user_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $conf_file $section project_name $SERVICE_PROJECT_NAME
-    iniset $conf_file $section project_domain_name "$SERVICE_DOMAIN_NAME"
-
+    configure_keystoneauth $conf_file $admin_user $section
     iniset $conf_file $section cafile $SSL_BUNDLE_FILE
     iniset $conf_file $section memcached_servers $MEMCACHE_SERVERS
     if [[ -n "$service_type" ]]; then
diff --git a/lib/neutron b/lib/neutron
index ea2d8e728a..44cd249fa1 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -460,14 +460,7 @@ function configure_neutron_nova {
 
 function create_nova_conf_neutron {
     local conf=${1:-$NOVA_CONF}
-    iniset $conf neutron auth_type "password"
-    iniset $conf neutron auth_url "$KEYSTONE_SERVICE_URI"
-    iniset $conf neutron username nova
-    iniset $conf neutron password "$SERVICE_PASSWORD"
-    iniset $conf neutron user_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $conf neutron project_name "$SERVICE_PROJECT_NAME"
-    iniset $conf neutron project_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $conf neutron auth_strategy "$Q_AUTH_STRATEGY"
+    configure_keystoneauth $conf nova neutron
     iniset $conf neutron region_name "$REGION_NAME"
 
     # optionally set options in nova_conf
@@ -1011,10 +1004,10 @@ function _configure_neutron_service {
     iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_status_changes $Q_NOTIFY_NOVA_PORT_STATUS_CHANGES
     iniset $NEUTRON_CONF DEFAULT notify_nova_on_port_data_changes $Q_NOTIFY_NOVA_PORT_DATA_CHANGES
 
-    configure_keystone_authtoken_middleware $NEUTRON_CONF nova nova
+    configure_keystoneauth $NEUTRON_CONF nova nova
 
     # Configuration for placement client
-    configure_keystone_authtoken_middleware $NEUTRON_CONF placement placement
+    configure_keystoneauth $NEUTRON_CONF placement placement
 
     # Configure plugin
     neutron_plugin_configure_service
diff --git a/lib/nova b/lib/nova
index 2357d87ee3..a7222cec81 100644
--- a/lib/nova
+++ b/lib/nova
@@ -628,32 +628,19 @@ function create_nova_conf {
 function configure_placement_nova_compute {
     # Use the provided config file path or default to $NOVA_CONF.
     local conf=${1:-$NOVA_CONF}
-    iniset $conf placement auth_type "password"
-    iniset $conf placement auth_url "$KEYSTONE_SERVICE_URI"
-    iniset $conf placement username nova
-    iniset $conf placement password "$SERVICE_PASSWORD"
-    iniset $conf placement user_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $conf placement project_name "$SERVICE_TENANT_NAME"
-    iniset $conf placement project_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $conf placement region_name "$REGION_NAME"
+    configure_keystoneauth $conf nova placement
 }
 
 # Configure access to cinder.
 function configure_cinder_access {
     iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
-    iniset $NOVA_CONF cinder auth_type "password"
-    iniset $NOVA_CONF cinder auth_url "$KEYSTONE_SERVICE_URI"
     # NOTE(mriedem): This looks a bit weird but we use the nova user here
     # since it has the admin role and the cinder user does not. This is
     # similar to using the nova user in init_nova_service_user_conf. We need
     # to use a user with the admin role for background tasks in nova to
     # be able to GET block-storage API resources owned by another project
     # since cinder has low-level "is_admin" checks in its DB API.
-    iniset $NOVA_CONF cinder username nova
-    iniset $NOVA_CONF cinder password "$SERVICE_PASSWORD"
-    iniset $NOVA_CONF cinder user_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $NOVA_CONF cinder project_name "$SERVICE_TENANT_NAME"
-    iniset $NOVA_CONF cinder project_domain_name "$SERVICE_DOMAIN_NAME"
+    configure_keystoneauth $conf nova cinder
     if is_service_enabled tls-proxy; then
         CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
         CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
@@ -663,14 +650,7 @@ function configure_cinder_access {
 
 # Configure access to manila.
 function configure_manila_access {
-    iniset $NOVA_CONF manila os_region_name "$REGION_NAME"
-    iniset $NOVA_CONF manila auth_type "password"
-    iniset $NOVA_CONF manila auth_url "$KEYSTONE_SERVICE_URI"
-    iniset $NOVA_CONF manila username nova
-    iniset $NOVA_CONF manila password "$SERVICE_PASSWORD"
-    iniset $NOVA_CONF manila user_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $NOVA_CONF manila project_name "$SERVICE_TENANT_NAME"
-    iniset $NOVA_CONF manila project_domain_name "$SERVICE_DOMAIN_NAME"
+    configure_keystoneauth $conf nova manila
 }
 
 function configure_console_compute {
@@ -836,13 +816,7 @@ function configure_nova_unified_limits {
 
 function init_nova_service_user_conf {
     iniset $NOVA_CONF service_user send_service_user_token True
-    iniset $NOVA_CONF service_user auth_type password
-    iniset $NOVA_CONF service_user auth_url "$KEYSTONE_SERVICE_URI"
-    iniset $NOVA_CONF service_user username nova
-    iniset $NOVA_CONF service_user password "$SERVICE_PASSWORD"
-    iniset $NOVA_CONF service_user user_domain_name "$SERVICE_DOMAIN_NAME"
-    iniset $NOVA_CONF service_user project_name "$SERVICE_PROJECT_NAME"
-    iniset $NOVA_CONF service_user project_domain_name "$SERVICE_DOMAIN_NAME"
+    configure_keystoneauth $NOVA_CONF nova service_user
 }
 
 function conductor_conf {