diff --git a/manifests/key_manager/barbican.pp b/manifests/key_manager/barbican.pp
index f6f10aec..b9c92c8f 100644
--- a/manifests/key_manager/barbican.pp
+++ b/manifests/key_manager/barbican.pp
@@ -33,14 +33,19 @@
 #   (Optional) Specifies the region of the chosen endpoint.
 #   Defaults to $::os_service_default
 #
+# [*send_service_user_token*]
+#   (Optional) The service uses service token feature when this is set as true.
+#   Defaults to $::os_service_default
+#
 class glance::key_manager::barbican (
-  $barbican_endpoint      = $::os_service_default,
-  $barbican_api_version   = $::os_service_default,
-  $auth_endpoint          = $::os_service_default,
-  $retry_delay            = $::os_service_default,
-  $number_of_retries      = $::os_service_default,
-  $barbican_endpoint_type = $::os_service_default,
-  $barbican_region_name   = $::os_service_default,
+  $barbican_endpoint       = $::os_service_default,
+  $barbican_api_version    = $::os_service_default,
+  $auth_endpoint           = $::os_service_default,
+  $retry_delay             = $::os_service_default,
+  $number_of_retries       = $::os_service_default,
+  $barbican_endpoint_type  = $::os_service_default,
+  $barbican_region_name    = $::os_service_default,
+  $send_service_user_token = $::os_service_default,
 ) {
 
   include glance::deps
@@ -49,12 +54,13 @@ class glance::key_manager::barbican (
   $auth_endpoint_real = pick($glance::api::keymgr_encryption_auth_url, $auth_endpoint)
 
   oslo::key_manager::barbican { 'glance_api_config':
-    barbican_endpoint      => $barbican_endpoint_real,
-    barbican_api_version   => $barbican_api_version,
-    auth_endpoint          => $auth_endpoint_real,
-    retry_delay            => $retry_delay,
-    number_of_retries      => $number_of_retries,
-    barbican_endpoint_type => $barbican_endpoint_type,
-    barbican_region_name   => $barbican_region_name,
+    barbican_endpoint       => $barbican_endpoint_real,
+    barbican_api_version    => $barbican_api_version,
+    auth_endpoint           => $auth_endpoint_real,
+    retry_delay             => $retry_delay,
+    number_of_retries       => $number_of_retries,
+    barbican_endpoint_type  => $barbican_endpoint_type,
+    barbican_region_name    => $barbican_region_name,
+    send_service_user_token => $send_service_user_token,
   }
 }
diff --git a/manifests/key_manager/barbican/service_user.pp b/manifests/key_manager/barbican/service_user.pp
new file mode 100644
index 00000000..1d17d564
--- /dev/null
+++ b/manifests/key_manager/barbican/service_user.pp
@@ -0,0 +1,94 @@
+# == Class: glance::key_manager::barbican::service_user
+#
+# Setup and configure the service token feature for Barbican Key Manager
+#
+# === Parameters
+#
+# [*password*]
+#  (Required) Password to create for the service user
+#
+# [*username*]
+#  (Optional) The name of the service user
+#  Defaults to 'glance'
+#
+# [*auth_url*]
+#  (Optional) The URL to use for authentication.
+#  Defaults to 'http://localhost:5000'
+#
+# [*project_name*]
+#  (Optional) Service project name
+#  Defaults to 'services'
+#
+# [*user_domain_name*]
+#  (Optional) Name of domain for $username
+#  Defaults to 'Default'
+#
+# [*project_domain_name*]
+#  (Optional) Name of domain for $project_name
+#  Defaults to 'Default'
+#
+# [*insecure*]
+#  (Optional) If true, explicitly allow TLS without checking server cert
+#  against any certificate authorities.  WARNING: not recommended.  Use with
+#  caution.
+#  Defaults to $::os_service_default
+#
+# [*auth_type*]
+#  (Optional) Authentication type to load
+#  Defaults to 'password'
+#
+# [*auth_version*]
+#  (Optional) API version of the admin Identity API endpoint.
+#  Defaults to $::os_service_default.
+#
+# [*cafile*]
+#  (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs
+#  connections.
+#  Defaults to $::os_service_default.
+#
+# [*certfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*keyfile*]
+#  (Optional) Required if identity server requires client certificate
+#  Defaults to $::os_service_default.
+#
+# [*region_name*]
+#  (Optional) The region in which the identity server can be found.
+#  Defaults to $::os_service_default.
+#
+class glance::key_manager::barbican::service_user(
+  $password,
+  $username            = 'glance',
+  $auth_url            = 'http://localhost:5000',
+  $project_name        = 'services',
+  $user_domain_name    = 'Default',
+  $project_domain_name = 'Default',
+  $insecure            = $::os_service_default,
+  $auth_type           = 'password',
+  $auth_version        = $::os_service_default,
+  $cafile              = $::os_service_default,
+  $certfile            = $::os_service_default,
+  $keyfile             = $::os_service_default,
+  $region_name         = $::os_service_default,
+) {
+
+  include glance::deps
+
+  oslo::key_manager::barbican::service_user { 'glance_api_config':
+    username            => $username,
+    password            => $password,
+    auth_url            => $auth_url,
+    project_name        => $project_name,
+    user_domain_name    => $user_domain_name,
+    project_domain_name => $project_domain_name,
+    insecure            => $insecure,
+    auth_type           => $auth_type,
+    auth_version        => $auth_version,
+    cafile              => $cafile,
+    certfile            => $certfile,
+    keyfile             => $keyfile,
+    region_name         => $region_name,
+  }
+}
diff --git a/releasenotes/notes/barbican_service_user-606ee71dc0940e2a.yaml b/releasenotes/notes/barbican_service_user-606ee71dc0940e2a.yaml
new file mode 100644
index 00000000..7b7fb7e6
--- /dev/null
+++ b/releasenotes/notes/barbican_service_user-606ee71dc0940e2a.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The following parameter and class have been added, to support usage of
+    the service token feature with the Barbican key manager.
+
+    - The ``glance::key_manager::barbican::send_service_user_token`` parameter
+    - The ``glance::key_manager::barbican::service_user`` class
diff --git a/spec/classes/glance_key_manager_barbican_service_user_spec.rb b/spec/classes/glance_key_manager_barbican_service_user_spec.rb
new file mode 100644
index 00000000..4665450a
--- /dev/null
+++ b/spec/classes/glance_key_manager_barbican_service_user_spec.rb
@@ -0,0 +1,79 @@
+require 'spec_helper'
+
+describe 'glance::key_manager::barbican::service_user' do
+  shared_examples 'glance::key_manager::barbican::service_user' do
+
+    let :params do
+      { :password => 'secret' }
+    end
+
+    context 'with default parameters' do
+      it {
+        is_expected.to contain_oslo__key_manager__barbican__service_user('glance_api_config').with(
+          :username            => 'glance',
+          :password            => 'secret',
+          :auth_url            => 'http://localhost:5000',
+          :project_name        => 'services',
+          :user_domain_name    => 'Default',
+          :project_domain_name => 'Default',
+          :insecure            => '<SERVICE DEFAULT>',
+          :auth_type           => 'password',
+          :auth_version        => '<SERVICE DEFAULT>',
+          :cafile              => '<SERVICE DEFAULT>',
+          :certfile            => '<SERVICE DEFAULT>',
+          :keyfile             => '<SERVICE DEFAULT>',
+          :region_name         => '<SERVICE DEFAULT>',
+        )
+      }
+    end
+
+    context 'with specified parameters' do
+      before :each do
+        params.merge!({
+          :username            => 'alt_glance',
+          :auth_url            => 'http://127.0.0.1:5000',
+          :project_name        => 'alt_services',
+          :user_domain_name    => 'Domain1',
+          :project_domain_name => 'Domain2',
+          :insecure            => false,
+          :auth_type           => 'v3password',
+          :auth_version        => 'v3',
+          :cafile              => '/opt/stack/data/cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'keyfile',
+          :region_name         => 'regionOne',
+        })
+      end
+
+      it {
+        is_expected.to contain_oslo__key_manager__barbican__service_user('glance_api_config').with(
+          :username            => 'alt_glance',
+          :password            => 'secret',
+          :auth_url            => 'http://127.0.0.1:5000',
+          :project_name        => 'alt_services',
+          :user_domain_name    => 'Domain1',
+          :project_domain_name => 'Domain2',
+          :insecure            => false,
+          :auth_type           => 'v3password',
+          :auth_version        => 'v3',
+          :cafile              => '/opt/stack/data/cafile.pem',
+          :certfile            => 'certfile.crt',
+          :keyfile             => 'keyfile',
+          :region_name         => 'regionOne',
+        )
+      }
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'glance::key_manager::barbican::service_user'
+    end
+  end
+end
diff --git a/spec/classes/glance_key_manager_barbican_spec.rb b/spec/classes/glance_key_manager_barbican_spec.rb
index fd3c1f1b..5046a500 100644
--- a/spec/classes/glance_key_manager_barbican_spec.rb
+++ b/spec/classes/glance_key_manager_barbican_spec.rb
@@ -5,13 +5,14 @@ describe 'glance::key_manager::barbican' do
     context 'with default parameters' do
       it {
         is_expected.to contain_oslo__key_manager__barbican('glance_api_config').with(
-          :barbican_endpoint      => '<SERVICE DEFAULT>',
-          :barbican_api_version   => '<SERVICE DEFAULT>',
-          :auth_endpoint          => '<SERVICE DEFAULT>',
-          :retry_delay            => '<SERVICE DEFAULT>',
-          :number_of_retries      => '<SERVICE DEFAULT>',
-          :barbican_endpoint_type => '<SERVICE DEFAULT>',
-          :barbican_region_name   => '<SERVICE DEFAULT>',
+          :barbican_endpoint       => '<SERVICE DEFAULT>',
+          :barbican_api_version    => '<SERVICE DEFAULT>',
+          :auth_endpoint           => '<SERVICE DEFAULT>',
+          :retry_delay             => '<SERVICE DEFAULT>',
+          :number_of_retries       => '<SERVICE DEFAULT>',
+          :barbican_endpoint_type  => '<SERVICE DEFAULT>',
+          :barbican_region_name    => '<SERVICE DEFAULT>',
+          :send_service_user_token => '<SERVICE DEFAULT>',
         )
       }
     end
@@ -19,25 +20,27 @@ describe 'glance::key_manager::barbican' do
     context 'with specified parameters' do
       let :params do
         {
-          :barbican_endpoint      => 'http://localhost:9311/',
-          :barbican_api_version   => 'v1',
-          :auth_endpoint          => 'http://localhost:5000',
-          :retry_delay            => 1,
-          :number_of_retries      => 60,
-          :barbican_endpoint_type => 'public',
-          :barbican_region_name   => 'regionOne',
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
         }
       end
 
       it {
         is_expected.to contain_oslo__key_manager__barbican('glance_api_config').with(
-          :barbican_endpoint      => 'http://localhost:9311/',
-          :barbican_api_version   => 'v1',
-          :auth_endpoint          => 'http://localhost:5000',
-          :retry_delay            => 1,
-          :number_of_retries      => 60,
-          :barbican_endpoint_type => 'public',
-          :barbican_region_name   => 'regionOne',
+          :barbican_endpoint       => 'http://localhost:9311/',
+          :barbican_api_version    => 'v1',
+          :auth_endpoint           => 'http://localhost:5000',
+          :retry_delay             => 1,
+          :number_of_retries       => 60,
+          :barbican_endpoint_type  => 'public',
+          :barbican_region_name    => 'regionOne',
+          :send_service_user_token => true,
         )
       }
     end