diff --git a/deployment/puppet/openstack_tasks/manifests/keystone/keystone.pp b/deployment/puppet/openstack_tasks/manifests/keystone/keystone.pp
index 5ae6925066..71b68f2afa 100644
--- a/deployment/puppet/openstack_tasks/manifests/keystone/keystone.pp
+++ b/deployment/puppet/openstack_tasks/manifests/keystone/keystone.pp
@@ -208,40 +208,55 @@ class openstack_tasks::keystone::keystone {
     }
   }
 
-  osnailyfacter::credentials_file { '/root/openrc':
-    admin_user          => $admin_user,
-    admin_password      => $admin_password,
-    admin_tenant        => $admin_tenant,
-    region_name         => $region,
-    auth_url            => $auth_url,
-    murano_repo_url     => $murano_repo_url,
-    murano_glare_plugin => $murano_glare_plugin,
+  group { 'operator_group' :
+    name   => $operator_user_name,
+    ensure => present,
   }
 
-  osnailyfacter::credentials_file { "${operator_user_homedir}/openrc":
-    admin_user          => $admin_user,
-    admin_password      => $admin_password,
-    admin_tenant        => $admin_tenant,
-    region_name         => $region,
-    auth_url            => $auth_url,
-    murano_repo_url     => $murano_repo_url,
-    murano_glare_plugin => $murano_glare_plugin,
-    owner               => $operator_user_name,
-    group               => $operator_user_name,
+  user { 'operator_user':
+    name       => $operator_user_name,
+    gid        => $operator_user_name,
+    ensure     => present,
+    managehome => true,
+    home       => $operator_user_homedir,
   }
 
-  osnailyfacter::credentials_file { "${service_user_homedir}/openrc":
-    admin_user          => $admin_user,
-    admin_password      => $admin_password,
-    admin_tenant        => $admin_tenant,
-    region_name         => $region,
-    auth_url            => $auth_url,
-    murano_repo_url     => $murano_repo_url,
-    murano_glare_plugin => $murano_glare_plugin,
-    owner               => $service_user_name,
-    group               => $service_user_name,
+  group { 'service_group' :
+    name   => $service_user_name,
+    ensure => present,
   }
 
+  user { 'service_user':
+    name       => $service_user_name,
+    gid        => $service_user_name,
+    ensure     => present,
+    managehome => true,
+    home       => $service_user_homedir,
+  }
+
+  $users = {
+    "${operator_user_name}" => 'operator_user',
+    "${service_user_name}"  => 'service_user',
+  }
+
+  $cred_users = {
+    '/root/openrc'                    => 'root',
+    "${operator_user_homedir}/openrc" => $operator_user_name,
+    "${service_user_homedir}/openrc"  => $service_user_name,
+  }
+
+  $cred_params = {
+    'admin_user'          => $admin_user,
+    'admin_password'      => $admin_password,
+    'admin_tenant'        => $admin_tenant,
+    'region_name'         => $region,
+    'auth_url'            => $auth_url,
+    'murano_repo_url'     => $murano_repo_url,
+    'murano_glare_plugin' => $murano_glare_plugin
+  }
+
+  create_resources('osnailyfacter::credentials_file', get_cred_files_hash($cred_users, $cred_params, $users))
+
   # Get paste.ini source
   include ::keystone::params
   $keystone_paste_ini = $::keystone::params::paste_config ? {
diff --git a/deployment/puppet/osnailyfacter/lib/puppet/parser/functions/get_cred_files_hash.rb b/deployment/puppet/osnailyfacter/lib/puppet/parser/functions/get_cred_files_hash.rb
new file mode 100644
index 0000000000..84645572d2
--- /dev/null
+++ b/deployment/puppet/osnailyfacter/lib/puppet/parser/functions/get_cred_files_hash.rb
@@ -0,0 +1,23 @@
+module Puppet::Parser::Functions
+  newfunction(:get_cred_files_hash, :type => :rvalue, :arity => 3,
+:doc => <<-EOS
+Build hash for credentials files creation
+EOS
+  ) do |args|
+      raise(Puppet::ParseError, 'Wrong cred_users. Should be a Hash.') unless args[0].is_a?(Hash)
+      raise(Puppet::ParseError, 'Wrong common_cred_params. Should be a Hash.') unless args[1].is_a?(Hash)
+      raise(Puppet::ParseError, 'Wrong users. Should be a Hash.') unless args[2].is_a?(Hash)
+
+      cred_users, common_cred_params, users = args
+
+      cred_users.inject({}) do |result, el|
+        home_dir, owner = el.first, el.last
+        if users.has_key?(owner)
+          result[home_dir] = common_cred_params.dup.update({'owner' => owner, 'group' => owner, 'require' => "User[#{users[owner]}]"})
+        else
+          result[home_dir] = common_cred_params.dup.update({'owner' => owner, 'group' => owner})
+        end
+        result
+      end
+    end
+end
diff --git a/deployment/puppet/osnailyfacter/spec/functions/get_cred_files_hash_spec.rb b/deployment/puppet/osnailyfacter/spec/functions/get_cred_files_hash_spec.rb
new file mode 100644
index 0000000000..d352b06b0d
--- /dev/null
+++ b/deployment/puppet/osnailyfacter/spec/functions/get_cred_files_hash_spec.rb
@@ -0,0 +1,96 @@
+require 'spec_helper'
+
+describe 'get_cred_files_hash' do
+
+  let (:common_cred_params) do
+    {
+     'admin_user'          => 'admin_user',
+     'admin_password'      => 'admin_password',
+     'admin_tenant'        => 'admin_tenant',
+     'region_name'         => 'region',
+     'auth_url'            => 'auth_url',
+     'murano_repo_url'     => 'murano_repo_url',
+     'murano_glare_plugin' => 'murano_glare_plugin'
+    }
+  end
+
+  it 'should exist' do
+    is_expected.not_to be_nil
+  end
+
+  context 'handle wrong values' do
+    it 'should throw an error on invalid arguments number' do
+      is_expected.to run.with_params(1, 2, 3, 4).and_raise_error(ArgumentError)
+    end
+
+    it 'should raise an error if first invalid argument type is specified' do
+      is_expected.to run.with_params('foo', {}, {}).and_raise_error(Puppet::ParseError)
+    end
+
+    it 'should raise an error if second invalid argument type is specified' do
+      is_expected.to run.with_params({}, 'foo', {}).and_raise_error(Puppet::ParseError)
+    end
+    it 'should raise an error if third invalid argument type is specified' do
+      is_expected.to run.with_params({}, {}, 'foo').and_raise_error(Puppet::ParseError)
+    end
+  end
+
+  context 'different home directories names' do
+    let (:cred_users) do
+      {
+       '/root/openrc'           => 'root',
+       '/home/fuel/openrc'      => 'fuel',
+       '/home/fueladmin/openrc' => 'fueladmin'
+      }
+    end
+
+    let (:users) do
+      {
+       'fuel'      => 'service_user',
+       'fueladmin' => 'operator_user',
+      }
+    end
+
+    let (:result) do
+      {
+       '/root/openrc'           => common_cred_params.dup.update({"owner" => 'root',
+                                                                  "group" => 'root'}),
+       '/home/fuel/openrc'      => common_cred_params.dup.update({"owner"   => 'fuel',
+                                                                  "group"   => 'fuel',
+                                                                  "require" => 'User[service_user]'}),
+       '/home/fueladmin/openrc' => common_cred_params.dup.update({"owner"   => 'fueladmin',
+                                                                  "group"   => 'fueladmin',
+                                                                  "require" => 'User[operator_user]'})
+      }
+    end
+
+    it 'should work with different home directories names' do
+      is_expected.to run.with_params(cred_users, common_cred_params, users).and_return(result)
+    end
+  end
+
+  context 'same home directories names' do
+    let (:cred_users) do
+      {
+       '/root/openrc' => 'root',
+       '/root/openrc' => 'root'
+      }
+    end
+
+    let (:users) do
+      {}
+    end
+
+    let (:result) do
+      {
+       '/root/openrc' => common_cred_params.dup.update({"owner" => 'root',
+                                                        "group" => 'root'})
+      }
+    end
+
+    it 'should work with same home directories names' do
+      is_expected.to run.with_params(cred_users, common_cred_params, users).and_return(result)
+    end
+  end
+
+end