diff --git a/nova/policies/console_auth_tokens.py b/nova/policies/console_auth_tokens.py
index 9df96f8aa84e..d6a00b735cc1 100644
--- a/nova/policies/console_auth_tokens.py
+++ b/nova/policies/console_auth_tokens.py
@@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'
 console_auth_tokens_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_READER,
         description="Show console connection information for a given console "
         "authentication token",
         operations=[
diff --git a/nova/tests/unit/fake_policy.py b/nova/tests/unit/fake_policy.py
index 5ccaa4ddf51b..abea3bdcc764 100644
--- a/nova/tests/unit/fake_policy.py
+++ b/nova/tests/unit/fake_policy.py
@@ -37,6 +37,7 @@ policy_data = """
     "os_compute_api:os-attach-interfaces:create": "",
     "os_compute_api:os-attach-interfaces:delete": "",
     "os_compute_api:os-baremetal-nodes": "",
+    "os_compute_api:os-console-auth-tokens": "",
     "os_compute_api:os-console-output": "",
     "os_compute_api:os-remote-consoles": "",
     "os_compute_api:os-create-backup": "",
diff --git a/nova/tests/unit/policies/test_console_auth_tokens.py b/nova/tests/unit/policies/test_console_auth_tokens.py
index 403a647ec25a..7637a0244e22 100644
--- a/nova/tests/unit/policies/test_console_auth_tokens.py
+++ b/nova/tests/unit/policies/test_console_auth_tokens.py
@@ -31,24 +31,29 @@ class ConsoleAuthTokensPolicyTest(base.BasePolicyTest):
         self.controller = console_auth_tokens.ConsoleAuthTokensController()
         self.req = fakes.HTTPRequest.blank('', version='2.31')
 
-        # Check that admin is able to get console connection information.
-        self.admin_authorized_contexts = [
-            self.legacy_admin_context, self.system_admin_context,
+        # Check that system reader is able to get console connection
+        # information.
+        # NOTE(gmann): Until old default rule which is admin_api is
+        # deprecated and not removed, project admin and legacy admin
+        # will be able to get console. This make sure that existing
+        # tokens will keep working even we have changed this policy defaults
+        # to reader role.
+        self.reader_authorized_contexts = [
+            self.system_admin_context, self.system_member_context,
+            self.system_reader_context, self.legacy_admin_context,
             self.project_admin_context]
         # Check that non-admin is not able to get console connection
         # information.
-        self.admin_unauthorized_contexts = [
-            self.system_member_context, self.system_reader_context,
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.project_foo_context, self.project_reader_context
-        ]
+        self.reader_unauthorized_contexts = [
+            self.system_foo_context, self.other_project_member_context,
+            self.project_foo_context, self.project_member_context,
+            self.project_reader_context]
 
     @mock.patch('nova.objects.ConsoleAuthToken.validate')
     def test_console_connect_info_token_policy(self, mock_validate):
         rule_name = "os_compute_api:os-console-auth-tokens"
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
+        self.common_policy_check(self.reader_authorized_contexts,
+                                 self.reader_unauthorized_contexts,
                                  rule_name, self.controller.show,
                                  self.req, fakes.FAKE_UUID)
 
@@ -68,15 +73,15 @@ class ConsoleAuthTokensScopeTypePolicyTest(ConsoleAuthTokensPolicyTest):
         super(ConsoleAuthTokensScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
 
-        # Check that system admin is able to get console connection
+        # Check that system reader is able to get console connection
         # information.
-        self.admin_authorized_contexts = [
-            self.system_admin_context]
-        # Check that non-system-admin is not able to get console connection
+        self.reader_authorized_contexts = [
+            self.system_admin_context, self.system_member_context,
+            self.system_reader_context]
+        # Check that non-system-reader is not able to get console connection
         # information.
-        self.admin_unauthorized_contexts = [
-            self.legacy_admin_context, self.system_member_context,
-            self.system_reader_context, self.system_foo_context,
+        self.reader_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_foo_context,
             self.project_admin_context, self.project_member_context,
             self.other_project_member_context,
             self.project_foo_context, self.project_reader_context