diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml
index e8ede18c76..918f09ac5f 100644
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@@ -349,3 +349,9 @@ keystone_pip_packages:
   - python-memcached
   - python-openstackclient
   - repoze.lru
+
+## Tunable overrides
+keystone_keystone_conf_overrides: {}
+keystone_keystone_default_conf_overrides: {}
+keystone_keystone_paste_ini_overrides: {}
+keystone_policy_overrides: {}
diff --git a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
index 732e6724db..506fed82d8 100644
--- a/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_post_install.yml
@@ -13,15 +13,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Generate Keystone Config
-  template:
+- name: Copy keystone config
+  config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
+    mode: "0644"
+    config_overrides: "{{ item.config_overrides }}"
+    config_type: "{{ item.config_type }}"
   with_items:
-    - { src: "keystone.conf.j2", dest: "/etc/keystone/keystone.conf" }
-    - { src: "keystone.Default.conf.j2", dest: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf" }
+    - src: "keystone.conf.j2"
+      dest: "/etc/keystone/keystone.conf"
+      config_overrides: "{{ keystone_keystone_conf_overrides }}"
+      config_type: "ini"
+    - src: "keystone.Default.conf.j2"
+      dest: "{{ keystone_ldap_domain_config_dir }}/keystone.Default.conf"
+      config_overrides: "{{ keystone_keystone_default_conf_overrides }}"
+      config_type: "ini"
+    - src: "keystone-paste.ini.j2"
+      dest: "/etc/keystone/keystone-paste.ini"
+      config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"
+      config_type: "ini"
+    - src: "policy.json.j2"
+      dest: "/etc/keystone/policy.json"
+      config_overrides: "{{ keystone_policy_overrides }}"
+      config_type: "json"
   notify:
     - Restart Apache
   tags:
@@ -35,7 +52,6 @@
     group: "{{ keystone_system_group_name }}"
     mode: "{{ item.mode|default('0644') }}"
   with_items:
-    - { src: "keystone-paste.ini", dest: "/etc/keystone/keystone-paste.ini" }
     - { src: "sso_callback_template.html", dest: "/etc/keystone/sso_callback_template.html" }
     - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
     - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
@@ -43,17 +59,3 @@
     - Restart Apache
   tags:
     - keystone-config
-
-- name: Apply updates to Policy file
-  config_template:
-    src: "policy.json"
-    dest: "/etc/keystone/policy.json"
-    owner: "{{ keystone_system_user_name }}"
-    group: "{{ keystone_system_group_name }}"
-    mode: "0644"
-    config_overrides: "{{ keystone_policy_overrides|default({}) }}"
-    config_type: "json"
-  notify:
-    - Restart Apache
-  tags:
-    - keystone-config
diff --git a/playbooks/roles/os_keystone/files/keystone-paste.ini b/playbooks/roles/os_keystone/templates/keystone-paste.ini.j2
similarity index 100%
rename from playbooks/roles/os_keystone/files/keystone-paste.ini
rename to playbooks/roles/os_keystone/templates/keystone-paste.ini.j2
diff --git a/playbooks/roles/os_keystone/templates/policy.json b/playbooks/roles/os_keystone/templates/policy.json.j2
similarity index 100%
rename from playbooks/roles/os_keystone/templates/policy.json
rename to playbooks/roles/os_keystone/templates/policy.json.j2