diff --git a/manifests/resource/service_identity.pp b/manifests/resource/service_identity.pp
index 906401f9a..09e7d94fb 100644
--- a/manifests/resource/service_identity.pp
+++ b/manifests/resource/service_identity.pp
@@ -170,6 +170,13 @@ define keystone::resource::service_identity(
   }
 
   if $configure_user_role {
+    if $ensure == 'present' {
+      # NOTE(jaosorior): We only handle ensure 'present' here, since deleting a
+      # role might be conflicting in some cases. e.g. the deployer removing a
+      # role from one service but adding it to another in the same puppet run.
+      # So role deletion should be handled elsewhere.
+      ensure_resource('keystone_role', $roles, { 'ensure' => 'present' })
+    }
     ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
       'ensure' => $ensure,
       'roles'  => $roles,
diff --git a/releasenotes/notes/autocreate-keystone-role-98c565ce590d9d32.yaml b/releasenotes/notes/autocreate-keystone-role-98c565ce590d9d32.yaml
new file mode 100644
index 000000000..34ad19ad4
--- /dev/null
+++ b/releasenotes/notes/autocreate-keystone-role-98c565ce590d9d32.yaml
@@ -0,0 +1,5 @@
+---
+features:
+    - Calls to the '::keystone::resource::service_identity' will automatically
+      create roles as needed. So if a role is specified, the resource will
+      make sure it exists.
diff --git a/spec/defines/keystone_resource_service_identity_spec.rb b/spec/defines/keystone_resource_service_identity_spec.rb
index a01bc4f01..82087e500 100644
--- a/spec/defines/keystone_resource_service_identity_spec.rb
+++ b/spec/defines/keystone_resource_service_identity_spec.rb
@@ -159,6 +159,9 @@ describe 'keystone::resource::service_identity' do
         :email    => 'neutron@localhost',
         :domain   => 'userdomain',
       )}
+      it { is_expected.to contain_keystone_role('admin').with(
+        :ensure => 'present',
+      )}
       it { is_expected.to contain_keystone_user_role("#{title}@services").with(
         :ensure => 'present',
         :roles  => ['admin'],