diff --git a/keystone/application_credential/core.py b/keystone/application_credential/core.py
index 87a1ca9af3..363c4af6a8 100644
--- a/keystone/application_credential/core.py
+++ b/keystone/application_credential/core.py
@@ -127,12 +127,13 @@ class Manager(manager.Manager):
         user_id = application_credential['user_id']
         project_id = application_credential['project_id']
         roles = application_credential.pop('roles', [])
+        access_rules = application_credential.pop('access_rules', None)
 
         self._assert_limit_not_exceeded(user_id)
         self._require_user_has_role_in_project(roles, user_id, project_id)
         unhashed_secret = application_credential['secret']
         ref = self.driver.create_application_credential(
-            application_credential, roles)
+            application_credential, roles, access_rules)
         ref['secret'] = unhashed_secret
         ref = self._process_app_cred(ref)
         notifications.Audit.created(
diff --git a/keystone/tests/unit/application_credential/test_backends.py b/keystone/tests/unit/application_credential/test_backends.py
index 061312a154..b590f9a9c0 100644
--- a/keystone/tests/unit/application_credential/test_backends.py
+++ b/keystone/tests/unit/application_credential/test_backends.py
@@ -107,6 +107,42 @@ class ApplicationCredentialTests(object):
                           self.app_cred_api.create_application_credential,
                           app_cred)
 
+    def test_create_application_credential_with_access_rules(self):
+        app_cred = self._new_app_cred_data(self.user_foo['id'],
+                                           project_id=self.project_bar['id'])
+        app_cred['access_rules'] = [{
+            'id': uuid.uuid4().hex,
+            'service': uuid.uuid4().hex,
+            'path': uuid.uuid4().hex,
+            'method': uuid.uuid4().hex[16:]
+        }]
+        resp = self.app_cred_api.create_application_credential(app_cred)
+        resp.pop('roles')
+        resp_access_rules = resp.pop('access_rules')
+        app_cred.pop('roles')
+        orig_access_rules = app_cred.pop('access_rules')
+        self.assertDictEqual(app_cred, resp)
+        for i, ar in enumerate(resp_access_rules):
+            self.assertDictEqual(orig_access_rules[i], ar)
+
+    def test_create_application_credential_with_preexisting_access_rules(self):
+        app_cred_1 = self._new_app_cred_data(self.user_foo['id'],
+                                             project_id=self.project_bar['id'])
+        app_cred_1['access_rules'] = [{
+            'id': uuid.uuid4().hex,
+            'service': uuid.uuid4().hex,
+            'path': uuid.uuid4().hex,
+            'method': uuid.uuid4().hex[16:]
+        }]
+        resp = self.app_cred_api.create_application_credential(app_cred_1)
+        resp_access_rules_1 = resp.pop('access_rules')
+        app_cred_2 = self._new_app_cred_data(self.user_foo['id'],
+                                             project_id=self.project_bar['id'])
+        app_cred_2['access_rules'] = [{'id': resp_access_rules_1[0]['id']}]
+        resp = self.app_cred_api.create_application_credential(app_cred_2)
+        resp_access_rules_2 = resp.pop('access_rules')
+        self.assertDictEqual(resp_access_rules_1[0], resp_access_rules_2[0])
+
     def test_get_application_credential(self):
         app_cred = self._new_app_cred_data(self.user_foo['id'],
                                            project_id=self.project_bar['id'])