diff --git a/releasenotes/notes/tripleo-create-admin-0ce59d13ce2c07f6.yaml b/releasenotes/notes/tripleo-create-admin-0ce59d13ce2c07f6.yaml
new file mode 100644
index 000000000..45047283a
--- /dev/null
+++ b/releasenotes/notes/tripleo-create-admin-0ce59d13ce2c07f6.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Break out tripleo-admin creation to its own role called tripleo-create-admin.
+    This removes some inline ansible from the mistral workflow, and allows
+    this role to be reused in other contexts (such as undercloud install).
diff --git a/roles/tripleo-create-admin/README.md b/roles/tripleo-create-admin/README.md
new file mode 100644
index 000000000..23ea7ed1e
--- /dev/null
+++ b/roles/tripleo-create-admin/README.md
@@ -0,0 +1,48 @@
+# TripleO Create Admin #
+
+A role to create an admin user to be later used for running playbooks.
+
+## Role Variables ##
+
+| Name              | Default Value       | Description           |
+|-------------------|---------------------|-----------------------|
+| `tripleo_admin_user` | `tripleo-admin`     | Name of user to create|
+| `tripleo_admin_pubkey` | `[undefined]`     | Public key for authorization|
+
+## Requirements ##
+
+ - ansible >= 2.4
+ - python >= 2.6
+
+## Dependencies ##
+
+None
+
+## Example Playbooks ##
+
+### Create and authorize user tripleo-admin ###
+    - hosts: localhost
+      tasks:
+      - import_role:
+          name: tripleo-create-admin
+        vars:
+          tripleo_admin_user: tripleo-admin
+          tripleo_admin_pubkey: ssh-rsa AAAA... # etc
+
+### Create user tripleo-admin ###
+    - hosts: controller-0
+      tasks:
+      - import_role:
+          name: tripleo-create-admin
+          tasks_from: create_user.yml
+
+### Authorize existing user ###
+
+    - hosts: localhost
+      tasks:
+      - import_role:
+          name: tripleo-create-admin
+          tasks_from: authorize_user.yml
+        vars:
+          tripleo_admin_user: tripleo-admin
+          tripleo_admin_pubkey: ssh-rsa AAAA... # etc
diff --git a/roles/tripleo-create-admin/defaults/main.yml b/roles/tripleo-create-admin/defaults/main.yml
new file mode 100644
index 000000000..51a6f7881
--- /dev/null
+++ b/roles/tripleo-create-admin/defaults/main.yml
@@ -0,0 +1 @@
+tripleo_admin_user: tripleo-admin
diff --git a/roles/tripleo-create-admin/tasks/authorize_user.yml b/roles/tripleo-create-admin/tasks/authorize_user.yml
new file mode 100644
index 000000000..aa79f669a
--- /dev/null
+++ b/roles/tripleo-create-admin/tasks/authorize_user.yml
@@ -0,0 +1,5 @@
+- name: authorize TripleO Mistral key for user {{ tripleo_admin_user }}
+  lineinfile:
+    path: /home/{{ tripleo_admin_user }}/.ssh/authorized_keys
+    line: '{{ tripleo_admin_pubkey }}'
+    regexp: 'Generated by TripleO'
diff --git a/roles/tripleo-create-admin/tasks/create_user.yml b/roles/tripleo-create-admin/tasks/create_user.yml
new file mode 100644
index 000000000..edf805f0a
--- /dev/null
+++ b/roles/tripleo-create-admin/tasks/create_user.yml
@@ -0,0 +1,23 @@
+- name: create user {{ tripleo_admin_user }}
+  user:
+    name: '{{ tripleo_admin_user }}'
+- name: grant admin rights to user {{ tripleo_admin_user }}
+  copy:
+    dest: /etc/sudoers.d/{{ tripleo_admin_user }}
+    content: |
+      {{ tripleo_admin_user }} ALL=(ALL) NOPASSWD:ALL
+    mode: 0440
+- name: ensure .ssh dir exists for user {{ tripleo_admin_user }}
+  file:
+    path: /home/{{ tripleo_admin_user }}/.ssh
+    state: directory
+    owner: '{{ tripleo_admin_user }}'
+    group: '{{ tripleo_admin_user }}'
+    mode: 0700
+- name: ensure authorized_keys file exists for user {{ tripleo_admin_user }}
+  file:
+    path: /home/{{ tripleo_admin_user }}/.ssh/authorized_keys
+    state: touch
+    owner: '{{ tripleo_admin_user }}'
+    group: '{{ tripleo_admin_user }}'
+    mode: 0600
diff --git a/roles/tripleo-create-admin/tasks/main.yml b/roles/tripleo-create-admin/tasks/main.yml
new file mode 100644
index 000000000..970fb2841
--- /dev/null
+++ b/roles/tripleo-create-admin/tasks/main.yml
@@ -0,0 +1,2 @@
+- import_tasks: create_user.yml
+- import_tasks: authorize_user.yml
diff --git a/workbooks/access.yaml b/workbooks/access.yaml
index 2afa0d511..25145bb05 100644
--- a/workbooks/access.yaml
+++ b/workbooks/access.yaml
@@ -61,34 +61,12 @@ workflows:
           - create_admin_via_ssh: <% $.ssh_private_key != null %>
         publish:
           create_admin_tasks:
-            - name: create user <% $.overcloud_admin %>
-              user:
-                name: '<% $.overcloud_admin %>'
-            - name: grant admin rights to user <% $.overcloud_admin %>
-              copy:
-                dest: /etc/sudoers.d/<% $.overcloud_admin %>
-                content: |
-                  <% $.overcloud_admin %> ALL=(ALL) NOPASSWD:ALL
-                mode: 0440
-            - name: ensure .ssh dir exists for user <% $.overcloud_admin %>
-              file:
-                path: /home/<% $.overcloud_admin %>/.ssh
-                state: directory
-                owner: <% $.overcloud_admin %>
-                group: <% $.overcloud_admin %>
-                mode: 0700
-            - name: ensure authorized_keys file exists for user <% $.overcloud_admin %>
-              file:
-                path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
-                state: touch
-                owner: <% $.overcloud_admin %>
-                group: <% $.overcloud_admin %>
-                mode: 0700
-            - name: authorize TripleO Mistral key for user <% $.overcloud_admin %>
-              lineinfile:
-                path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
-                line: <% $.pubkey %>
-                regexp: "Generated by TripleO"
+            - name: create and authorize user <% $.overcloud_admin %>
+              import_role:
+                name: tripleo-create-admin
+              vars:
+                tripleo_admin_user: <% $.overcloud_admin %>
+                tripleo_admin_pubkey: <% $.pubkey %>
 
       # Nova variant
       create_admin_via_nova: