diff --git a/keystone/api/credentials.py b/keystone/api/credentials.py
index c76096bc47..952f029ce0 100644
--- a/keystone/api/credentials.py
+++ b/keystone/api/credentials.py
@@ -120,7 +120,8 @@ class CredentialResource(ks_flask.ResourceBase):
         trust_id = getattr(self.oslo_context, 'trust_id', None)
         ref = self._assign_unique_id(
             self._normalize_dict(credential), trust_id=trust_id)
-        ref = PROVIDERS.credential_api.create_credential(ref['id'], ref)
+        ref = PROVIDERS.credential_api.create_credential(
+            ref['id'], ref, initiator=self.audit_initiator)
         return self.wrap_member(ref), http_client.CREATED
 
     def patch(self, credential_id):
@@ -143,7 +144,8 @@ class CredentialResource(ks_flask.ResourceBase):
             target_attr=_build_target_enforcement()
         )
 
-        return (PROVIDERS.credential_api.delete_credential(credential_id),
+        return (PROVIDERS.credential_api.delete_credential(credential_id,
+                initiator=self.audit_initiator),
                 http_client.NO_CONTENT)
 
 
diff --git a/keystone/credential/core.py b/keystone/credential/core.py
index cb28b314e0..d6c48ff163 100644
--- a/keystone/credential/core.py
+++ b/keystone/credential/core.py
@@ -21,6 +21,7 @@ from keystone.common import manager
 from keystone.common import provider_api
 import keystone.conf
 from keystone import exception
+from keystone import notifications
 
 
 CONF = keystone.conf.CONF
@@ -38,6 +39,8 @@ class Manager(manager.Manager):
     driver_namespace = 'keystone.credential'
     _provides_api = 'credential_api'
 
+    _CRED = 'credential'
+
     def __init__(self):
         super(Manager, self).__init__(CONF.credential.driver)
 
@@ -102,13 +105,18 @@ class Manager(manager.Manager):
         credential = self.driver.get_credential(credential_id)
         return self._decrypt_credential(credential)
 
-    def create_credential(self, credential_id, credential):
+    def create_credential(self, credential_id, credential,
+                          initiator=None):
         """Create a credential."""
         credential_copy = self._encrypt_credential(credential)
         ref = self.driver.create_credential(credential_id, credential_copy)
         ref.pop('key_hash', None)
         ref.pop('encrypted_blob', None)
         ref['blob'] = credential['blob']
+        notifications.Audit.created(
+            self._CRED,
+            credential_id,
+            initiator)
         return ref
 
     def _validate_credential_update(self, credential_id, credential):
@@ -143,3 +151,10 @@ class Manager(manager.Manager):
         else:
             ref['blob'] = existing_blob
         return ref
+
+    def delete_credential(self, credential_id,
+                          initiator=None):
+        """Delete a credential."""
+        self.driver.delete_credential(credential_id)
+        notifications.Audit.deleted(
+            self._CRED, credential_id, initiator)
diff --git a/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
new file mode 100644
index 0000000000..33a355cc5d
--- /dev/null
+++ b/releasenotes/notes/bug-1831918-c70cf87ef086d871.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 1831918 <https://bugs.launchpad.net/keystone/+bug/1831918>`_]
+    Credentials now logs cadf audit messages.
+