diff --git a/manifests/cron/trust_flush.pp b/manifests/cron/trust_flush.pp
index 472c59626..48a2c1234 100644
--- a/manifests/cron/trust_flush.pp
+++ b/manifests/cron/trust_flush.pp
@@ -48,6 +48,10 @@
 #   cron jobs at the same time on all hosts this job is configured.
 #   Defaults to 0
 #
+# [*age*]
+#   (Optional) Number of days prior to today for deletion,
+#   Defaults to 0
+#
 # [*destination*]
 #   (Optional) Path to file to which rows should be archived
 #   Defaults to '/var/log/keystone/keystone-trustflush.log'
@@ -64,6 +68,7 @@ class keystone::cron::trust_flush (
   $month            = '*',
   $weekday          = '*',
   Integer $maxdelay = 0,
+  Integer $age      = 0,
   $destination      = '/var/log/keystone/keystone-trustflush.log',
   $user             = $::keystone::params::user,
 ) inherits keystone::params {
@@ -76,9 +81,15 @@ class keystone::cron::trust_flush (
     $sleep = "sleep `expr \${RANDOM} \\% ${maxdelay}`; "
   }
 
+  if $age == 0 {
+    $date = ''
+  } else {
+    $date = "--date `date --date 'today - ${age} days' +\\%d-\\%m-\\%Y` "
+  }
+
   cron { 'keystone-manage trust_flush':
     ensure      => $ensure,
-    command     => "${sleep}keystone-manage trust_flush >>${destination} 2>&1",
+    command     => "${sleep}keystone-manage trust_flush ${date}>>${destination} 2>&1",
     environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
     user        => $user,
     minute      => $minute,
diff --git a/releasenotes/notes/token_flush-age-a4b11555aac09a2e.yaml b/releasenotes/notes/token_flush-age-a4b11555aac09a2e.yaml
new file mode 100644
index 000000000..420ef08b0
--- /dev/null
+++ b/releasenotes/notes/token_flush-age-a4b11555aac09a2e.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``keystone::cron::token_flush::age`` parameter has been added.
diff --git a/spec/classes/keystone_cron_trust_flush_spec.rb b/spec/classes/keystone_cron_trust_flush_spec.rb
index f9d94f7d3..84c480a00 100644
--- a/spec/classes/keystone_cron_trust_flush_spec.rb
+++ b/spec/classes/keystone_cron_trust_flush_spec.rb
@@ -25,15 +25,16 @@ describe 'keystone::cron::trust_flush' do
 
     context 'with overriden params' do
       before do
-        params.merge!( :ensure      => 'absent',
-                       :minute      => 13,
-                       :hour        => 23,
-                       :monthday    => 3,
-                       :month       => 4,
-                       :weekday     => 2,
-                       :maxdelay    => 600,
-                       :destination => '/tmp/trustflush.log',
-                       :user        => 'nobody' )
+        params.merge!(
+          :ensure      => 'absent',
+          :minute      => 13,
+          :hour        => 23,
+          :monthday    => 3,
+          :month       => 4,
+          :weekday     => 2,
+          :maxdelay    => 600,
+          :destination => '/tmp/trustflush.log',
+          :user        => 'nobody' )
       end
 
       it { is_expected.to contain_class('keystone::deps') }
@@ -51,6 +52,27 @@ describe 'keystone::cron::trust_flush' do
         :require     => 'Anchor[keystone::dbsync::end]',
       )}
     end
+
+    context 'with age' do
+      before do
+        params.merge!(
+          :age => 14
+        )
+      end
+
+      it { is_expected.to contain_cron('keystone-manage trust_flush').with(
+        :ensure      => 'present',
+        :command     => 'keystone-manage trust_flush --date `date --date \'today - 14 days\' +\\%d-\\%m-\\%Y` >>/var/log/keystone/keystone-trustflush.log 2>&1',
+        :environment => 'PATH=/bin:/usr/bin:/usr/sbin SHELL=/bin/sh',
+        :user        => 'keystone',
+        :minute      => 1,
+        :hour        => '*',
+        :monthday    => '*',
+        :month       => '*',
+        :weekday     => '*',
+        :require     => 'Anchor[keystone::dbsync::end]',
+      )}
+    end
   end
 
   on_supported_os({