diff --git a/manifests/bootstrap.pp b/manifests/bootstrap.pp
index d8db3348b..0a0857087 100644
--- a/manifests/bootstrap.pp
+++ b/manifests/bootstrap.pp
@@ -56,6 +56,10 @@
 #   (Optional) Which interface endpoint should be used.
 #    Defaults to 'public'
 #
+# [*bootstrap*]
+#   (Optional) Whether to run keystone-manage bootstrap command.
+#   Defaults to true
+#
 class keystone::bootstrap (
   $password,
   $username             = 'admin',
@@ -69,6 +73,7 @@ class keystone::bootstrap (
   $internal_url         = undef,
   $region               = 'RegionOne',
   $interface            = 'public',
+  $bootstrap            = true,
 ) inherits keystone::params {
 
   include keystone::deps
@@ -84,71 +89,73 @@ class keystone::bootstrap (
     $keystone_user = $::keystone::params::keystone_user
   }
 
-  # The initial bootstrap that creates all resources required but
-  # only subscribes to notifies from the keystone::dbsync::end anchor
-  # which means this is not guaranteed to execute on each run.
-  exec { 'keystone bootstrap':
-    command     => 'keystone-manage bootstrap',
-    environment => [
-      "OS_BOOTSTRAP_USERNAME=${username}",
-      "OS_BOOTSTRAP_PASSWORD=${password}",
-      "OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
-      "OS_BOOTSTRAP_ROLE_NAME=${role_name}",
-      "OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
-      "OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
-      "OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
-      "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
-      "OS_BOOTSTRAP_REGION_ID=${region}",
-    ],
-    user        => $keystone_user,
-    path        => '/usr/bin',
-    refreshonly => true,
-    subscribe   => Anchor['keystone::dbsync::end'],
-    notify      => Anchor['keystone::service::begin'],
-    tag         => 'keystone-bootstrap',
+  if $bootstrap {
+    # The initial bootstrap that creates all resources required but
+    # only subscribes to notifies from the keystone::dbsync::end anchor
+    # which means this is not guaranteed to execute on each run.
+    exec { 'keystone bootstrap':
+      command     => 'keystone-manage bootstrap',
+      environment => [
+        "OS_BOOTSTRAP_USERNAME=${username}",
+        "OS_BOOTSTRAP_PASSWORD=${password}",
+        "OS_BOOTSTRAP_PROJECT_NAME=${project_name}",
+        "OS_BOOTSTRAP_ROLE_NAME=${role_name}",
+        "OS_BOOTSTRAP_SERVICE_NAME=${service_name}",
+        "OS_BOOTSTRAP_ADMIN_URL=${admin_url}",
+        "OS_BOOTSTRAP_PUBLIC_URL=${public_url}",
+        "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}",
+        "OS_BOOTSTRAP_REGION_ID=${region}",
+      ],
+      user        => $keystone_user,
+      path        => '/usr/bin',
+      refreshonly => true,
+      subscribe   => Anchor['keystone::dbsync::end'],
+      notify      => Anchor['keystone::service::begin'],
+      tag         => 'keystone-bootstrap',
+    }
+
+    # Since the bootstrap is not guaranteed to execute on each run we
+    # use the below resources to make sure the current resources are
+    # correct so if some value was updated we set that.
+
+    ensure_resource('keystone_role', $role_name, {
+      'ensure' => 'present',
+    })
+
+    ensure_resource('keystone_user', $username, {
+      'ensure'   => 'present',
+      'enabled'  => true,
+      'email'    => $email,
+      'password' => $password,
+    })
+
+    ensure_resource('keystone_tenant', $service_project_name, {
+      'ensure'  => 'present',
+      'enabled' => true,
+    })
+
+    ensure_resource('keystone_tenant', $project_name, {
+      'ensure'  => 'present',
+      'enabled' => true,
+    })
+
+    ensure_resource('keystone_user_role', "${username}@${project_name}", {
+      'ensure' => 'present',
+      'roles'  => $role_name,
+    })
+
+    ensure_resource('keystone_service', "${service_name}::identity", {
+      'ensure' => 'present',
+    })
+
+    ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
+      'ensure'       => 'present',
+      'public_url'   => $public_url,
+      'admin_url'    => $admin_url,
+      'internal_url' => $internal_url_real,
+    })
   }
 
-  # Since the bootstrap is not guaranteed to execute on each run we
-  # use the below resources to make sure the current resources are
-  # correct so if some value was updated we set that.
-
-  ensure_resource('keystone_role', $role_name, {
-    'ensure' => 'present',
-  })
-
-  ensure_resource('keystone_user', $username, {
-    'ensure'   => 'present',
-    'enabled'  => true,
-    'email'    => $email,
-    'password' => $password,
-  })
-
-  ensure_resource('keystone_tenant', $service_project_name, {
-    'ensure'  => 'present',
-    'enabled' => true,
-  })
-
-  ensure_resource('keystone_tenant', $project_name, {
-    'ensure'  => 'present',
-    'enabled' => true,
-  })
-
-  ensure_resource('keystone_user_role', "${username}@${project_name}", {
-    'ensure' => 'present',
-    'roles'  => $role_name,
-  })
-
-  ensure_resource('keystone_service', "${service_name}::identity", {
-    'ensure' => 'present',
-  })
-
-  ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", {
-    'ensure'       => 'present',
-    'public_url'   => $public_url,
-    'admin_url'    => $admin_url,
-    'internal_url' => $internal_url_real,
-  })
-
   # The below creates and populates the /etc/keystone/puppet.conf file that contains
   # the credentials that can be loaded by providers. Ensure it has the proper owner,
   # group and mode so that it cannot be read by anything other than root.
diff --git a/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml b/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml
new file mode 100644
index 000000000..045fbc54a
--- /dev/null
+++ b/releasenotes/notes/keystone-bootstrap-flag-9eac9280f6f6d7ed.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The new ``keystone::bootstrap::bootstrap`` parameter has been added, to
+    disable ``keystone-manage bootstrap`` command. This is useful to generate
+    ``/etc/keystone/puppet.conf`` on multiple nodes while running bootstrap
+    command on a single node.
diff --git a/spec/classes/keystone_bootstrap_spec.rb b/spec/classes/keystone_bootstrap_spec.rb
index 1ee578169..b0a1e2dc5 100644
--- a/spec/classes/keystone_bootstrap_spec.rb
+++ b/spec/classes/keystone_bootstrap_spec.rb
@@ -179,6 +179,46 @@ describe 'keystone::bootstrap' do
       )}
     end
 
+    context 'with bootstrap disabled' do
+      let :params do
+        {
+          :bootstrap => false,
+          :password  => 'secret'
+        }
+      end
+
+      it { is_expected.to contain_class('keystone::deps') }
+
+      it { is_expected.to_not contain_exec('keystone bootstrap') }
+
+      it { is_expected.to_not contain_keystone_role('admin') }
+      it { is_expected.to_not contain_keystone_user('admin') }
+      it { is_expected.to_not contain_keystone_tenant('services') }
+      it { is_expected.to_not contain_keystone_tenant('admin') }
+      it { is_expected.to_not contain_keystone_user_role('admin@admin') }
+      it { is_expected.to_not contain_keystone_service('keystone::identity') }
+      it { is_expected.to_not contain_keystone_endpoint('RegionOne/keystone::identity') }
+
+      it { is_expected.to contain_file('/etc/keystone/puppet.conf').with(
+        :ensure => 'present',
+        :replace => false,
+        :content => '',
+        :owner   => 'root',
+        :group   => 'root',
+        :mode    => '0600',
+        :require => 'Anchor[keystone::install::end]',
+      )}
+
+      it { is_expected.to contain_keystone__resource__authtoken('keystone_puppet_config').with(
+        :username     => 'admin',
+        :password     => 'secret',
+        :auth_url     => 'http://127.0.0.1:5000',
+        :project_name => 'admin',
+        :region_name  => 'RegionOne',
+        :interface    => 'public',
+      )}
+    end
+
     context 'when setting keystone_user param in keystone' do
       let :params do
         {