diff --git a/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml b/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml
new file mode 100644
index 00000000..216d367a
--- /dev/null
+++ b/releasenotes/notes/service_password_update-3bdd2bb5ed3a99b5.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    Added variable ``service_update_password`` that will control whether
+    password should be updated, which defaults to `False`. This changes
+    previous behaviour when service passwords were always updated in
+    the keystone on role run.
+    Please use this variable whenever you need to update a password for
+    the service.
+fixes:
+  - |
+    Different race conditions in services are fixed when keystone password
+    is forcefully reseted.
+    Closes Bug: `#2023370 <https://bugs.launchpad.net/openstack-ansible/+bug/2023370>`_
diff --git a/roles/service_setup/tasks/main.yml b/roles/service_setup/tasks/main.yml
index cf3b879f..6eb0f737 100644
--- a/roles/service_setup/tasks/main.yml
+++ b/roles/service_setup/tasks/main.yml
@@ -77,7 +77,7 @@
         default_project: "{{ (default_project is truthy) | ternary(default_project, omit) }}"
         endpoint_type: admin
         validate_certs: "{{ not (_service_adminuri_insecure | default(True) | bool) }}"
-        update_password: always
+        update_password: "{{ (service_update_password | default(False) | bool) | ternary('always', omit) }}"
       register: add_service
       when:
         - not (_service_in_ldap | default(False) | bool)