diff --git a/heat/engine/clients/os/keystone/heat_keystoneclient.py b/heat/engine/clients/os/keystone/heat_keystoneclient.py
index f91c2c134e..b738c2f089 100644
--- a/heat/engine/clients/os/keystone/heat_keystoneclient.py
+++ b/heat/engine/clients/os/keystone/heat_keystoneclient.py
@@ -328,6 +328,17 @@ class KsClientWrapper(object):
             # FIXME(shardy): Legacy fallback for folks using old heat.conf
             # files which lack domain configuration
             return self.create_stack_user(username=username, password=password)
+        # We are creating automated user, for which most of security
+        # compliance restrictions possibly set in Keystone should not apply,
+        # https://docs.openstack.org/keystone/latest/admin/security-compliance.html
+        # TODO(pas-ha) find a way to deal with password_regex and
+        # disable_user_account_days_inactive
+        # TODO(pas-ha) think if we also need to add lock_password too
+        user_options = {
+            "ignore_change_password_upon_first_use": True,
+            "ignore_password_expiry": True,
+            "ignore_lockout_failure_attempts": True
+        }
         # We add the new user to a special keystone role
         # This role is designed to allow easier differentiation of the
         # heat-generated "stack users" which will generally have credentials
@@ -339,7 +350,8 @@ class KsClientWrapper(object):
             # Create user
             user = self.domain_admin_client.users.create(
                 name=self._get_username(username), password=password,
-                default_project=project_id, domain=self.stack_domain_id)
+                default_project=project_id, domain=self.stack_domain_id,
+                options=user_options)
             # Add to stack user role
             LOG.debug("Adding user %(user)s to role %(role)s",
                       {'user': user.id, 'role': role_id})
diff --git a/heat/tests/clients/test_heat_client.py b/heat/tests/clients/test_heat_client.py
index 8397ca7408..0b36e8c269 100644
--- a/heat/tests/clients/test_heat_client.py
+++ b/heat/tests/clients/test_heat_client.py
@@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
         ctx = utils.dummy_context()
         self.patchobject(ctx, '_create_auth_plugin')
         ctx.trust_id = None
+        user_options = dict(ignore_password_expiry=True,
+                            ignore_change_password_upon_first_use=True,
+                            ignore_lockout_failure_attempts=True)
 
         # mock keystone client functions
         self._stub_domain_admin_client()
@@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
             name='duser',
             password=None,
             default_project='aproject',
-            domain='adomain123')
+            domain='adomain123',
+            options=user_options)
         self.mock_ks_v3_client.roles.grant.assert_called_once_with(
             project='aproject',
             role='4546',