diff --git a/manifests/metadata/novajoin/api.pp b/manifests/metadata/novajoin/api.pp
index b04f353f1..4e1a57b3b 100644
--- a/manifests/metadata/novajoin/api.pp
+++ b/manifests/metadata/novajoin/api.pp
@@ -128,6 +128,7 @@ class nova::metadata::novajoin::api (
   $ipa_realm                 = undef,
 ) {
   include ::nova::metadata::novajoin::authtoken
+  include ::nova::metadata::novajoin::policy
 
   if ! $service_user {
     fail('service_user is missing')
diff --git a/manifests/metadata/novajoin/policy.pp b/manifests/metadata/novajoin/policy.pp
new file mode 100644
index 000000000..eb7053519
--- /dev/null
+++ b/manifests/metadata/novajoin/policy.pp
@@ -0,0 +1,38 @@
+# == Class: nova::metadata::novajoin::policy
+#
+# Configure the nova policies
+#
+# === Parameters
+#
+# [*policies*]
+#   (Optional) Set of policies to configure for novajoin
+#   Example :
+#     {
+#       'novajoin-compute_service_user' => {
+#         'key' => 'compute_service_user',
+#         'value' => 'role:admin'
+#       }
+#     }
+#   Defaults to empty hash.
+#
+# [*policy_path*]
+#   (Optional) Path to the novajoin policy.json file
+#   Defaults to /etc/novajoin/policy.json
+#
+class nova::metadata::novajoin::policy (
+  $policies    = {},
+  $policy_path = '/etc/novajoin/policy.json',
+) {
+
+  validate_legacy(Hash, 'validate_hash', $policies)
+
+  $policy_defaults = {
+    file_path  => $policy_path,
+    file_user  => 'root',
+  }
+
+  create_resources('openstacklib::policy::base', $policies, $policy_defaults)
+
+  oslo::policy { 'novajoin_config': policy_file => $policy_path }
+
+}
diff --git a/releasenotes/notes/novajoin-policy-2c219cf32a322d4b.yaml b/releasenotes/notes/novajoin-policy-2c219cf32a322d4b.yaml
new file mode 100644
index 000000000..e48a9dd34
--- /dev/null
+++ b/releasenotes/notes/novajoin-policy-2c219cf32a322d4b.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    New class nova::metadata::novajoin::policy allows novajoin policy overrides
+    to be written to /etc/novajoin/policy.json.
diff --git a/spec/classes/nova_metadata_novajoin_policy_spec.rb b/spec/classes/nova_metadata_novajoin_policy_spec.rb
new file mode 100644
index 000000000..0dbc15cb8
--- /dev/null
+++ b/spec/classes/nova_metadata_novajoin_policy_spec.rb
@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe 'nova::metadata::novajoin::policy' do
+
+  shared_examples_for 'novajoin policies' do
+    let :params do
+      {
+        :policy_path => '/etc/novajoin/policy.json',
+        :policies    => {
+          'context_is_admin' => {
+            'key'   => 'context_is_admin',
+            'value' => 'foo:bar'
+          }
+        }
+      }
+    end
+
+    it 'set up the policies' do
+      is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
+        :key        => 'context_is_admin',
+        :value      => 'foo:bar',
+        :file_user  => 'root',
+      })
+      is_expected.to contain_oslo__policy('novajoin_config').with(
+        :policy_file => '/etc/novajoin/policy.json',
+      )
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'novajoin policies'
+    end
+  end
+
+end