diff --git a/keystone/cmd/bootstrap.py b/keystone/cmd/bootstrap.py
index 2d1ec8577b..c343c00130 100644
--- a/keystone/cmd/bootstrap.py
+++ b/keystone/cmd/bootstrap.py
@@ -124,6 +124,14 @@ class Bootstrapper(object):
             # name instead.
             hints = driver_hints.Hints()
             hints.add_filter('name', role_name)
+            # Only return global roles, domain-specific roles can't be used in
+            # system assignments and bootstrap isn't designed to work with
+            # domain-specific roles.
+            hints.add_filter('domain_id', None)
+
+            # NOTE(lbragstad): Global roles are unique based on name. At this
+            # point we should be safe to return the first, and only, element in
+            # the list.
             return PROVIDERS.role_api.list_roles(hints)[0]
 
     def _ensure_implied_role(self, prior_role_id, implied_role_id):
diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py
index 2c4a3f1de9..cd7d21012b 100644
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@@ -281,6 +281,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
             user_id,
             bootstrap.password)
 
+    def test_bootstrap_with_ambiguous_role_names(self):
+        bootstrap = cli.BootStrap()
+        # bootstrap system to create the default admin role
+        self._do_test_bootstrap(bootstrap)
+
+        # create a domain-specific roles that share the same names as the
+        # default roles created by keystone-manage bootstrap
+        domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
+        domain_roles = {}
+
+        for name in ['admin', 'member', 'reader']:
+            domain_role = {
+                'domain_id': domain['id'],
+                'id': uuid.uuid4().hex,
+                'name': name
+            }
+            domain_roles[name] = PROVIDERS.role_api.create_role(
+                domain_role['id'], domain_role
+            )
+
+            # ensure subsequent bootstrap attempts don't fail because of
+            # ambiguity
+            self._do_test_bootstrap(bootstrap)
+
 
 class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
 
diff --git a/releasenotes/notes/bug-1856881-277103af343187f1.yaml b/releasenotes/notes/bug-1856881-277103af343187f1.yaml
new file mode 100644
index 0000000000..673371dbf5
--- /dev/null
+++ b/releasenotes/notes/bug-1856881-277103af343187f1.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    [`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
+    ``keystone-manage bootstrap`` can be run in upgrade scenarios where
+    pre-existing domain-specific roles exist named ``admin``, ``member``, and
+    ``reader``.