diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
index c33ae878b5..fa2433e2d3 100644
--- a/keystone/tests/test_auth.py
+++ b/keystone/tests/test_auth.py
@@ -702,17 +702,20 @@ class AuthWithTrust(AuthTest):
     def test_create_trust_bad_data_fails(self):
         context = self._create_auth_context(
             self.unscoped_token['access']['token']['id'])
-        bad_sample_data = {'trustor_user_id': self.trustor['id']}
+        bad_sample_data = {'trustor_user_id': self.trustor['id'],
+                           'project_id': self.tenant_bar['id'],
+                           'roles': [{'id': self.role_browser['id']}]}
 
         self.assertRaises(exception.ValidationError,
                           self.trust_controller.create_trust,
                           context, trust=bad_sample_data)
 
     def test_create_trust_no_roles(self):
-        self.new_trust = None
+        context = {'token_id': self.unscoped_token['access']['token']['id']}
         self.sample_data['roles'] = []
-        self.create_trust()
-        self.assertEqual([], self.new_trust['roles'])
+        self.assertRaises(exception.Forbidden,
+                          self.trust_controller.create_trust,
+                          context, trust=self.sample_data)
 
     def test_create_trust(self):
         self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id'])
diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
index e395df34ec..ae66ca15cb 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@@ -2298,6 +2298,14 @@ class TestTrustAuth(TestAuthInfo):
         r = self.post('/OS-TRUST/trusts', body={'trust': ref})
         self.assertValidTrustResponse(r, ref)
 
+    def test_create_trust_no_roles(self):
+        ref = self.new_trust_ref(
+            trustor_user_id=self.user_id,
+            trustee_user_id=self.trustee_user_id,
+            project_id=self.project_id)
+        del ref['id']
+        self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403)
+
     def _initialize_test_consume_trust(self, count):
         # Make sure remaining_uses is decremented as we consume the trust
         ref = self.new_trust_ref(
@@ -2455,14 +2463,18 @@ class TestTrustAuth(TestAuthInfo):
     def test_create_trust_trustee_404(self):
         ref = self.new_trust_ref(
             trustor_user_id=self.user_id,
-            trustee_user_id=uuid.uuid4().hex)
+            trustee_user_id=uuid.uuid4().hex,
+            project_id=self.project_id,
+            role_ids=[self.role_id])
         del ref['id']
         self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404)
 
     def test_create_trust_trustor_trustee_backwards(self):
         ref = self.new_trust_ref(
             trustor_user_id=self.trustee_user_id,
-            trustee_user_id=self.user_id)
+            trustee_user_id=self.user_id,
+            project_id=self.project_id,
+            role_ids=[self.role_id])
         del ref['id']
         self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403)
 
diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py
index e80d533010..bf8a8af278 100644
--- a/keystone/trust/controllers.py
+++ b/keystone/trust/controllers.py
@@ -134,6 +134,9 @@ class TrustV3(controller.V3Controller):
         if not trust:
             raise exception.ValidationError(attribute='trust',
                                             target='request')
+        if trust.get('project_id') and not trust.get('roles'):
+            raise exception.Forbidden(
+                _('At least one role should be specified.'))
         try:
             user_id = self._get_user_id(context)
             _trustor_only(context, trust, user_id)