diff --git a/keystone/common/sql/contract_repo/versions/056_contract_add_application_credential_access_rules.py b/keystone/common/sql/contract_repo/versions/056_contract_add_application_credential_access_rules.py
new file mode 100644
index 0000000000..8066b50bb3
--- /dev/null
+++ b/keystone/common/sql/contract_repo/versions/056_contract_add_application_credential_access_rules.py
@@ -0,0 +1,17 @@
+# Copyright 2019 SUSE Linux GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+def upgrade(migrate_engine):
+    pass
diff --git a/keystone/common/sql/data_migration_repo/versions/056_migrate_add_application_credential_access_rules.py b/keystone/common/sql/data_migration_repo/versions/056_migrate_add_application_credential_access_rules.py
new file mode 100644
index 0000000000..8066b50bb3
--- /dev/null
+++ b/keystone/common/sql/data_migration_repo/versions/056_migrate_add_application_credential_access_rules.py
@@ -0,0 +1,17 @@
+# Copyright 2019 SUSE Linux GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+def upgrade(migrate_engine):
+    pass
diff --git a/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py b/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py
new file mode 100644
index 0000000000..9fa49879f2
--- /dev/null
+++ b/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py
@@ -0,0 +1,44 @@
+# Copyright 2019 SUSE Linux GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import sqlalchemy as sql
+
+
+def upgrade(migrate_engine):
+    meta = sql.MetaData()
+    meta.bind = migrate_engine
+
+    application_credential = sql.Table('application_credential', meta, autoload=True)
+    access_rule = sql.Table(
+        'access_rule', meta,
+        sql.Column('id', sql.Integer, primary_key=True, nullable=False),
+        sql.Column('service', sql.String(64)),
+        sql.Column('path', sql.String(128)),
+        sql.Column('method', sql.String(16)),
+        mysql_engine='InnoDB', mysql_charset='utf8'
+    )
+    app_cred_access_rule = sql.Table(
+        'application_credential_access_rule', meta,
+        sql.Column('application_credential_id', sql.Integer,
+                   sql.ForeignKey(application_credential.c.internal_id,
+                                  ondelete='CASCADE'),
+                   primary_key=True, nullable=False),
+        sql.Column('access_rule_id', sql.Integer,
+                   sql.ForeignKey(access_rule.c.id,
+                                  ondelete='CASCADE'),
+                   primary_key=True, nullable=False),
+        mysql_engine='InnoDB', mysql_charset='utf8'
+    )
+    access_rule.create(migrate_engine, checkfirst=True)
+    app_cred_access_rule.create(migrate_engine, checkfirst=True)
diff --git a/keystone/tests/unit/test_sql_upgrade.py b/keystone/tests/unit/test_sql_upgrade.py
index 2a99be0f62..64155c7e98 100644
--- a/keystone/tests/unit/test_sql_upgrade.py
+++ b/keystone/tests/unit/test_sql_upgrade.py
@@ -3223,6 +3223,66 @@ class FullMigration(SqlMigrateBase, unit.TestCase):
              'registered_limit_id', 'domain_id'])
         self.assertTrue(limit_table.c.project_id.nullable)
 
+    def test_migration_056_add_application_credential_access_rules(self):
+        self.expand(55)
+        self.migrate(55)
+        self.contract(55)
+
+        self.assertTableDoesNotExist('access_rule')
+        self.assertTableDoesNotExist('application_credential_access_rule')
+
+        self.expand(56)
+        self.migrate(56)
+        self.contract(56)
+
+        self.assertTableExists('access_rule')
+        self.assertTableExists('application_credential_access_rule')
+        self.assertTableColumns(
+            'access_rule',
+            ['id', 'service', 'path', 'method']
+        )
+        self.assertTableColumns(
+            'application_credential_access_rule',
+            ['application_credential_id', 'access_rule_id']
+        )
+        self.assertTrue(self.does_fk_exist('application_credential_access_rule',
+                                           'application_credential_id'))
+        self.assertTrue(self.does_fk_exist('application_credential_access_rule',
+                                           'access_rule_id'))
+
+        app_cred_table = sqlalchemy.Table(
+            'application_credential', self.metadata, autoload=True
+        )
+        access_rule_table = sqlalchemy.Table(
+            'access_rule', self.metadata, autoload=True
+        )
+        app_cred_access_rule_table = sqlalchemy.Table(
+            'application_credential_access_rule',
+            self.metadata, autoload=True
+        )
+        app_cred = {
+            'internal_id': 1,
+            'id': uuid.uuid4().hex,
+            'name': uuid.uuid4().hex,
+            'secret_hash': uuid.uuid4().hex,
+            'user_id': uuid.uuid4().hex,
+            'project_id': uuid.uuid4().hex
+        }
+        app_cred_table.insert().values(app_cred).execute()
+        access_rule = {
+            'id': 1,
+            'service': uuid.uuid4().hex,
+            'path': '/v2.1/servers',
+            'method': 'GET'
+        }
+        access_rule_table.insert().values(access_rule).execute()
+        app_cred_access_rule_rel = {
+            'application_credential_id': app_cred['internal_id'],
+            'access_rule_id': access_rule['id']
+        }
+        app_cred_access_rule_table.insert().values(
+            app_cred_access_rule_rel).execute()
+
 
 class MySQLOpportunisticFullMigration(FullMigration):
     FIXTURE = db_fixtures.MySQLOpportunisticFixture