diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2
index 10890eb7e6..2486a59e84 100644
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@@ -50,5 +50,12 @@
             "owner": "keystone",
             "perm": "0600"
         }{% endif %}
+    ],
+    "permissions": [
+        {
+            "path": "/etc/keystone/fernet-keys",
+            "owner": "keystone:keystone",
+            "perm": "0770"
+        }
     ]
 }
diff --git a/ansible/roles/keystone/templates/keystone-ssh.json.j2 b/ansible/roles/keystone/templates/keystone-ssh.json.j2
index ca016f8223..d2b5edb415 100644
--- a/ansible/roles/keystone/templates/keystone-ssh.json.j2
+++ b/ansible/roles/keystone/templates/keystone-ssh.json.j2
@@ -13,5 +13,12 @@
             "owner": "keystone",
             "perm": "0600"
         }
+    ],
+    "permissions": [
+        {
+            "path": "/etc/keystone/fernet-keys",
+            "owner": "keystone:keystone",
+            "perm": "0770"
+        }
     ]
 }
diff --git a/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml b/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml
new file mode 100644
index 0000000000..1f73b5db08
--- /dev/null
+++ b/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue where Keystone Fernet key rotation may fail due to
+    permission denied error if the Keystone rotation happens before the
+    Keystone container starts. `LP#1888512
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1888512>`__