diff --git a/docker/services/octavia-api.yaml b/docker/services/octavia-api.yaml
index d76030d452..0a1e3b57d1 100644
--- a/docker/services/octavia-api.yaml
+++ b/docker/services/octavia-api.yaml
@@ -232,3 +232,5 @@ outputs:
                 - octavia_api_httpd_enabled|bool
                 - httpd_running|bool
               service: name=httpd state=stopped
+      metadata_settings:
+        get_attr: [OctaviaApiPuppetBase, role_data, metadata_settings]
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 5e8f0389ef..b9b5c41191 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -400,3 +400,5 @@ outputs:
             - step|int == 1
             - glance_registry_enabled.rc == 0
           service: name=openstack-glance-registry state=stopped enabled=no
+      metadata_settings:
+        get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml
index 6a4647cf6f..f90343af3d 100644
--- a/puppet/services/octavia-api.yaml
+++ b/puppet/services/octavia-api.yaml
@@ -127,3 +127,5 @@ outputs:
           octavia::db::mysql::allowed_hosts:
             - '%'
             - "%{hiera('mysql_bind_host')}"
+      metadata_settings:
+        get_attr: [TLSProxyBase, role_data, metadata_settings]
diff --git a/releasenotes/notes/add-metadata-settings-to-octavia-and-glance-tls-internal-5d8e46650b174626.yaml b/releasenotes/notes/add-metadata-settings-to-octavia-and-glance-tls-internal-5d8e46650b174626.yaml
new file mode 100644
index 0000000000..6eb8457043
--- /dev/null
+++ b/releasenotes/notes/add-metadata-settings-to-octavia-and-glance-tls-internal-5d8e46650b174626.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed an issue where if Octavia API or Glance API were deployed away from
+    the controller node with internal TLS, the service principals wouldn't be
+    created.