diff --git a/roles/service_setup/tasks/main.yml b/roles/service_setup/tasks/main.yml
index 5ee4d76b..0fd4200f 100644
--- a/roles/service_setup/tasks/main.yml
+++ b/roles/service_setup/tasks/main.yml
@@ -65,25 +65,6 @@
       retries: 5
       delay: 10
 
-    - name: Add keystone roles
-      openstack.cloud.identity_role:
-        cloud: default
-        state: present
-        name: "{{ item.role }}"
-        endpoint_type: admin
-        validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
-      register: add_service
-      when:
-        - not (_service_in_ldap | default(False) | bool)
-        - _service_users is defined
-        - "'role' in item"
-        - (item.condition | default(True)) | bool
-      until: add_service is success
-      with_items: "{{ _service_users }}"
-      retries: 5
-      delay: 10
-      no_log: True
-
     - name: Add service users
       openstack.cloud.identity_user:
         cloud: default
@@ -108,28 +89,16 @@
       delay: 10
       no_log: True
 
-    - name: Add service users to the role
-      openstack.cloud.role_assignment:
-        cloud: default
-        state: present
-        user: "{{ item.name }}"
-        role: "{{ item.role }}"
-        project: "{{ item.project | default(_service_project_name) }}"
-        domain: "{{ item.domain | default(omit) }}"
-        endpoint_type: admin
-        validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
-      register: add_service
+    - name: Include task for role assignment
+      include_tasks: setup_roles.yml
       when:
         - not (_service_in_ldap | default(False) | bool)
         - _service_users is defined
-        - "'name' in item"
-        - "'role' in item"
-        - (item.condition | default(True)) | bool
-      until: add_service is success
-      with_items: "{{ _service_users }}"
-      retries: 5
-      delay: 10
-      no_log: True
+        - "'role' in user"
+        - (user.condition | default(True)) | bool
+      loop: "{{ _service_users }}"
+      loop_control:
+        loop_var: user
 
     - name: Add endpoints to keystone endpoint catalog
       openstack.cloud.endpoint:
diff --git a/roles/service_setup/tasks/setup_roles.yml b/roles/service_setup/tasks/setup_roles.yml
new file mode 100644
index 00000000..91270b52
--- /dev/null
+++ b/roles/service_setup/tasks/setup_roles.yml
@@ -0,0 +1,91 @@
+---
+# Copyright 2022, City Network International AB
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Setup role when it is a string
+  block:
+    - name: Add a keystone role
+      openstack.cloud.identity_role:
+        cloud: default
+        state: present
+        name: "{{ user.role }}"
+        endpoint_type: admin
+        validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      no_log: True
+
+    - name: Add service users to the role
+      openstack.cloud.role_assignment:
+        cloud: default
+        state: present
+        user: "{{ user.name }}"
+        role: "{{ user.role }}"
+        project: "{{ user.project | default(_service_project_name) }}"
+        domain: "{{ user.domain | default(omit) }}"
+        endpoint_type: admin
+        validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      no_log: True
+      when:
+        - "'name' in user"
+  when:
+    - user.role is string
+
+- name: Setup roles when they are a list
+  block:
+    - name: Add keystone roles
+      openstack.cloud.identity_role:
+        cloud: default
+        state: present
+        name: "{{ role }}"
+        endpoint_type: admin
+        validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      no_log: True
+      loop: "{{ user.role }}"
+      loop_control:
+        loop_var: role
+
+    - name: Add service users to multiple roles
+      openstack.cloud.role_assignment:
+        cloud: default
+        state: present
+        user: "{{ user.name }}"
+        role: "{{ role }}"
+        project: "{{ user.project | default(_service_project_name) }}"
+        domain: "{{ user.domain | default(omit) }}"
+        endpoint_type: admin
+        validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      no_log: True
+      loop: "{{ user.role }}"
+      loop_control:
+        loop_var: role
+      when:
+        - "'name' in user"
+  when:
+    - user.role is iterable
+    - user.role is not string