diff --git a/manifests/keystone/glare_auth.pp b/manifests/keystone/glare_auth.pp
new file mode 100644
index 00000000..a5e2432b
--- /dev/null
+++ b/manifests/keystone/glare_auth.pp
@@ -0,0 +1,104 @@
+# == Class: glance::keystone::glare_auth
+#
+# Sets up glare users, service and endpoint for Glance Glare
+#
+# == Parameters:
+#
+# [*password*]
+#   Password for glare user. Required.
+#
+# [*email*]
+#   Email for glance user. Optional. Defaults to 'glare@localhost'.
+#
+# [*auth_name*]
+#   Username for glare service. Optional. Defaults to 'glare'.
+#
+# [*configure_endpoint*]
+#   Should glare endpoint be configured? Optional. Defaults to 'true'.
+#
+# [*configure_user*]
+#   Should the service user be configured? Optional. Defaults to 'true'.
+#
+# [*configure_user_role*]
+#   Should the admin role be configured for the service user?
+#   Optional. Defaults to 'true'.
+#
+# [*service_name*]
+#    Name of the service. Optional.
+#    Defaults to 'Glance Artifacts'.
+#
+# [*service_type*]
+#    Type of service. Optional. Defaults to 'artifact'.
+#
+# [*service_description*]
+#    Description for keystone service. Optional. Defaults to 'Glance Artifact Service'.
+#
+# [*region*]
+#    Region for endpoint. Optional. Defaults to 'RegionOne'.
+#
+# [*tenant*]
+#    Tenant for glare user. Optional. Defaults to 'services'.
+#
+# [*public_url*]
+#   (optional) The endpoint's public url. (Defaults to 'http://127.0.0.1:9494')
+#   This url should *not* contain any trailing '/'.
+#
+# [*admin_url*]
+#   (optional) The endpoint's admin url. (Defaults to 'http://127.0.0.1:9494')
+#   This url should *not* contain any trailing '/'.
+#
+# [*internal_url*]
+#   (optional) The endpoint's internal url. (Defaults to 'http://127.0.0.1:9494')
+#   This url should *not* contain any trailing '/'.
+#
+# === Examples
+#
+#  class { 'glance::keystone::glare_auth':
+#    public_url   => 'https://10.0.0.10:9494',
+#    internal_url => 'https://10.0.0.11:9494',
+#    admin_url    => 'https://10.0.0.11:9494',
+#  }
+#
+class glance::keystone::glare_auth(
+  $password,
+  $email               = 'glare@localhost',
+  $auth_name           = 'glare',
+  $configure_endpoint  = true,
+  $configure_user      = true,
+  $configure_user_role = true,
+  $service_name        = 'Glance Artifacts',
+  $service_type        = 'artifact',
+  $region              = 'RegionOne',
+  $tenant              = 'services',
+  $service_description = 'Glance Artifact Service',
+  $public_url          = 'http://127.0.0.1:9494',
+  $admin_url           = 'http://127.0.0.1:9494',
+  $internal_url        = 'http://127.0.0.1:9494',
+) {
+
+  $real_service_name = pick($service_name, $auth_name)
+
+  if $configure_endpoint {
+    Keystone_endpoint["${region}/${real_service_name}::${service_type}"]  ~> Service<| title == 'glance-glare' |>
+  }
+
+  keystone::resource::service_identity { $auth_name:
+    configure_user      => $configure_user,
+    configure_user_role => $configure_user_role,
+    configure_endpoint  => $configure_endpoint,
+    service_type        => $service_type,
+    service_description => $service_description,
+    service_name        => $real_service_name,
+    region              => $region,
+    password            => $password,
+    email               => $email,
+    tenant              => $tenant,
+    public_url          => $public_url,
+    admin_url           => $admin_url,
+    internal_url        => $internal_url,
+  }
+
+  if $configure_user_role {
+    Keystone_user_role["${auth_name}@${tenant}"] ~> Service<| title == 'glance-glare' |>
+  }
+}
diff --git a/spec/acceptance/basic_glance_spec.rb b/spec/acceptance/basic_glance_spec.rb
index eb3f620c..a327006a 100644
--- a/spec/acceptance/basic_glance_spec.rb
+++ b/spec/acceptance/basic_glance_spec.rb
@@ -21,6 +21,9 @@ describe 'glance class' do
       class { '::glance::keystone::auth':
         password => 'a_big_secret',
       }
+      class { '::glance::keystone::glare_auth':
+        password => 'a_big_secret',
+      }
       class { '::glance::api':
         database_connection => 'mysql+pymysql://glance:a_big_secret@127.0.0.1/glance?charset=utf8',
         verbose             => false,
diff --git a/spec/classes/glance_keystone_glare_auth_spec.rb b/spec/classes/glance_keystone_glare_auth_spec.rb
new file mode 100644
index 00000000..2e338104
--- /dev/null
+++ b/spec/classes/glance_keystone_glare_auth_spec.rb
@@ -0,0 +1,172 @@
+require 'spec_helper'
+
+describe 'glance::keystone::glare_auth' do
+
+  shared_examples_for 'glance::keystone::glare_auth' do
+    describe 'with defaults' do
+
+      let :params do
+        {:password => 'pass'}
+      end
+
+      it { is_expected.to contain_keystone_user('glare').with(
+        :ensure   => 'present',
+        :password => 'pass'
+      )}
+
+      it { is_expected.to contain_keystone_user_role('glare@services').with(
+        :ensure => 'present',
+        :roles  => ['admin']
+      ) }
+
+      it { is_expected.to contain_keystone_service('Glance Artifacts::artifact').with(
+        :ensure      => 'present',
+        :description => 'Glance Artifact Service'
+      ) }
+
+      it { is_expected.to contain_keystone_endpoint('RegionOne/Glance Artifacts::artifact').with(
+        :ensure       => 'present',
+        :public_url   => 'http://127.0.0.1:9494',
+        :admin_url    => 'http://127.0.0.1:9494',
+        :internal_url => 'http://127.0.0.1:9494'
+      )}
+
+    end
+
+    describe 'when auth_type, password, and service_type are overridden' do
+
+      let :params do
+        {
+          :auth_name    => 'glarey',
+          :password     => 'password',
+          :service_type => 'glarey'
+        }
+      end
+
+      it { is_expected.to contain_keystone_user('glarey').with(
+        :ensure   => 'present',
+        :password => 'password'
+      )}
+
+      it { is_expected.to contain_keystone_user_role('glarey@services').with(
+        :ensure => 'present',
+        :roles  => ['admin']
+      ) }
+
+      it { is_expected.to contain_keystone_service('Glance Artifacts::glarey').with(
+        :ensure      => 'present',
+        :description => 'Glance Artifact Service'
+      ) }
+
+    end
+
+    describe 'when overriding endpoint URLs' do
+      let :params do
+        { :password         => 'passw0rd',
+          :region            => 'RegionTwo',
+          :public_url       => 'https://10.10.10.10:82/v2',
+          :internal_url     => 'https://10.10.10.11:82/v2',
+          :admin_url        => 'https://10.10.10.12:82/v2' }
+      end
+
+      it { is_expected.to contain_keystone_endpoint('RegionTwo/Glance Artifacts::artifact').with(
+        :ensure       => 'present',
+        :public_url   => 'https://10.10.10.10:82/v2',
+        :internal_url => 'https://10.10.10.11:82/v2',
+        :admin_url    => 'https://10.10.10.12:82/v2'
+      ) }
+    end
+
+    describe 'when endpoint is not set' do
+
+      let :params do
+        {
+          :configure_endpoint => false,
+          :password         => 'pass',
+        }
+      end
+
+      it { is_expected.to_not contain_keystone_endpoint('RegionOne/Glance Artifacts::artifact') }
+    end
+
+    describe 'when disabling user configuration' do
+      let :params do
+        {
+          :configure_user => false,
+          :password       => 'pass',
+        }
+      end
+
+      it { is_expected.to_not contain_keystone_user('glare') }
+
+      it { is_expected.to contain_keystone_user_role('glare@services') }
+
+      it { is_expected.to contain_keystone_service('Glance Artifacts::artifact').with(
+        :ensure      => 'present',
+        :description => 'Glance Artifact Service'
+      ) }
+    end
+
+    describe 'when disabling user and user role configuration' do
+      let :params do
+        {
+          :configure_user      => false,
+          :configure_user_role => false,
+          :password            => 'pass',
+        }
+      end
+
+      it { is_expected.to_not contain_keystone_user('glare') }
+
+      it { is_expected.to_not contain_keystone_user_role('glare@services') }
+
+      it { is_expected.to contain_keystone_service('Glance Artifacts::artifact').with(
+        :ensure      => 'present',
+        :description => 'Glance Artifact Service'
+      ) }
+    end
+
+    describe 'when configuring glance-glare and the keystone endpoint' do
+      let :pre_condition do
+        "class { 'glance::glare': keystone_password => 'test' }"
+      end
+
+      let :params do
+        {
+          :password => 'test',
+          :configure_endpoint => true
+        }
+      end
+
+      it { is_expected.to contain_keystone_endpoint('RegionOne/Glance Artifacts::artifact').with_notify(["Service[glance-glare]"]) }
+      end
+
+    describe 'when overriding service name' do
+
+      let :params do
+        {
+          :service_name => 'glance_service',
+          :password     => 'pass'
+        }
+      end
+
+      it { is_expected.to contain_keystone_user('glare') }
+      it { is_expected.to contain_keystone_user_role('glare@services') }
+      it { is_expected.to contain_keystone_service('glance_service::artifact') }
+      it { is_expected.to contain_keystone_endpoint('RegionOne/glance_service::artifact') }
+
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'glance::keystone::glare_auth'
+    end
+  end
+end