diff --git a/defaults/main.yml b/defaults/main.yml
index cc8298b1..f19ee1ae 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -190,7 +190,12 @@ nova_service_project_name: "service"
 nova_service_project_domain_id: default
 nova_service_user_domain_id: default
 nova_service_user_name: "nova"
-nova_service_role_name: "admin"
+nova_service_role_names:
+  - admin
+  - service
+nova_service_token_roles:
+  - service
+nova_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 
 ## Keystone authentication middleware
 nova_keystone_auth_plugin: password
diff --git a/tasks/main.yml b/tasks/main.yml
index 38a82b0a..e7ff8b74 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -185,7 +185,7 @@
     _service_users:
       - name: "{{ nova_service_user_name }}"
         password: "{{ nova_service_password }}"
-        role: "{{ nova_service_role_name }}"
+        role: "{{ nova_service_role_names }}"
     _service_endpoints:
       - service: "{{ nova_service_name }}"
         interface: "public"
diff --git a/templates/nova.conf.j2 b/templates/nova.conf.j2
index 0d89d772..7529a3a2 100644
--- a/templates/nova.conf.j2
+++ b/templates/nova.conf.j2
@@ -190,6 +190,10 @@ username = {{ nova_service_user_name }}
 password = {{ nova_service_password }}
 region_name = {{ keystone_service_region }}
 
+service_token_roles_required = {{ nova_service_token_roles_required | bool }}
+service_token_roles = {{ nova_service_token_roles | join(',') }}
+service_type = {{ nova_service_type }}
+
 memcached_servers = {{ memcached_servers }}
 
 token_cache_time = 300