diff --git a/heat/values.yaml b/heat/values.yaml
index b7f2a0f0e8..fd02006bed 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -572,13 +572,10 @@ bootstrap:
   enabled: true
   ks_user: admin
   script: |
-    #NOTE(portdirect): required for all users who operate heat stacks
-    openstack role create --or-show heat_stack_owner
-
     #NOTE(portdirect): The Orchestration service automatically assigns the
     # 'heat_stack_user' role to users that it creates during stack deployment.
     # By default, this role restricts API operations. To avoid conflicts, do
-    # not add this role to users with the heat_stack_owner role.
+    # not add this role to actual users.
     openstack role create --or-show heat_stack_user
 
 dependencies:
@@ -766,9 +763,7 @@ endpoints:
         user_domain_name: default
         project_domain_name: default
       heat:
-        role:
-          - admin
-          - heat_stack_owner
+        role: admin
         region_name: RegionOne
         username: heat
         password: password
diff --git a/keystone/values.yaml b/keystone/values.yaml
index fb9ec26946..383b861ea6 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -64,15 +64,6 @@ bootstrap:
           --project="${OS_PROJECT_NAME}" \
           "member"
 
-    #NOTE(portdirect): required for all users who operate heat stacks
-    openstack role create --or-show heat_stack_owner
-    openstack role add \
-          --user="${OS_USERNAME}" \
-          --user-domain="${OS_USER_DOMAIN_NAME}" \
-          --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
-          --project="${OS_PROJECT_NAME}" \
-          "heat_stack_owner"
-
 network:
   api:
     ingress: