diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 40da0895..92c2c51e 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -21,7 +21,7 @@
 #
 # [*roles*]
 #   (Optional) List of roles assigned to swift user.
-#   Defaults to ['admin']
+#   Defaults to ['admin', 'service']
 #
 # [*system_scope*]
 #   (Optional) Scope for system operations.
@@ -111,7 +111,7 @@ class swift::keystone::auth (
   String[1] $password,
   String[1] $auth_name                       = 'swift',
   String[1] $tenant                          = 'services',
-  Array[String[1]] $roles                    = ['admin'],
+  Array[String[1]] $roles                    = ['admin', 'service'],
   String[1] $system_scope                    = 'all',
   Array[String[1]] $system_roles             = [],
   String[1] $email                           = 'swift@localhost',
diff --git a/releasenotes/notes/service-role-ad4862288689402d.yaml b/releasenotes/notes/service-role-ad4862288689402d.yaml
new file mode 100644
index 00000000..776e0428
--- /dev/null
+++ b/releasenotes/notes/service-role-ad4862288689402d.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``swift::keystone::auth`` class now adds the ``service`` role by
+    default. Set the ``roles`` parameter not to add the role.
diff --git a/spec/classes/swift_keystone_auth_spec.rb b/spec/classes/swift_keystone_auth_spec.rb
index d8ca42c7..2199ae66 100644
--- a/spec/classes/swift_keystone_auth_spec.rb
+++ b/spec/classes/swift_keystone_auth_spec.rb
@@ -23,7 +23,7 @@ describe 'swift::keystone::auth' do
         :password            => 'swift_password',
         :email               => 'swift@localhost',
         :tenant              => 'services',
-        :roles               => ['admin'],
+        :roles               => ['admin', 'service'],
         :system_scope        => 'all',
         :system_roles        => [],
         :public_url          => 'http://127.0.0.1:8080/v1/AUTH_%(tenant_id)s',
@@ -58,7 +58,7 @@ describe 'swift::keystone::auth' do
           :auth_name              => 'alt_swift',
           :email                  => 'alt_swift@alt_localhost',
           :tenant                 => 'alt_service',
-          :roles                  => ['admin', 'service'],
+          :roles                  => ['admin'],
           :system_scope           => 'alt_all',
           :system_roles           => ['admin', 'member', 'reader'],
           :configure_endpoint     => false,
@@ -91,7 +91,7 @@ describe 'swift::keystone::auth' do
         :password            => 'swift_password',
         :email               => 'alt_swift@alt_localhost',
         :tenant              => 'alt_service',
-        :roles               => ['admin', 'service'],
+        :roles               => ['admin'],
         :system_scope        => 'alt_all',
         :system_roles        => ['admin', 'member', 'reader'],
         :public_url          => 'https://10.10.10.10:80',