diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml
index f060d06aae..42cb8f4121 100644
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@@ -673,10 +673,15 @@ outputs:
             start_order: 3
             action: exec
             user: root
+            # NOTE(mwhahaha): We use $$ because we're executing in python to
+            # call as shell script and passing the command to run as arguments
+            # to that shell script. So when it is called via eval, the escaped
+            # $ properly evaulates
             command:
-              [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', {get_param: AdminPassword} ]
+              [ 'keystone', '/usr/bin/bootstrap_host_exec', 'keystone' ,'keystone-manage', 'bootstrap', '--bootstrap-password', '$$KEYSTONE_BOOTSTRAP_PASSWORD' ]
             environment:
               KOLLA_BOOTSTRAP: true
+              KEYSTONE_BOOTSTRAP_PASSWORD: {get_param: AdminPassword}
         step_4:
           # There are cases where we need to refresh keystone after the resource provisioning,
           # such as the case of using LDAP backends for domains. So we trigger a graceful