diff --git a/deployment/nova/novajoin-container-puppet.yaml b/deployment/nova/novajoin-container-puppet.yaml
index 78b44458f5..e8c51821d2 100644
--- a/deployment/nova/novajoin-container-puppet.yaml
+++ b/deployment/nova/novajoin-container-puppet.yaml
@@ -78,6 +78,11 @@ parameters:
     description: The timeout for both the vendordata dynamic connect and read
                  values.
     type: number
+  NovajoinPolicies:
+    description: |
+      A hash of policies to configure for Novajoin.
+    default: {}
+    type: json
 
 resources:
 
@@ -117,6 +122,7 @@ outputs:
           '119 novajoin':
             dport:
               - 9090
+        nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
       service_config_settings:
         keystone:
           nova::metadata::novajoin::auth::tenant: 'service'
diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index b653f27f35..913558355d 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -94,6 +94,12 @@ parameter_defaults:
   NovaAutoDisabling: '0'
   NovaCorsAllowedOrigin: '*'
   NovaSyncPowerStateInterval: -1
+  # Overwrite compute_server_user policy to allow any user with role admin
+  # to post to novajoin (required for mistral workflow)
+  NovajoinPolicies:
+    compute_service_user:
+      key: 'compute_service_user'
+      value: 'role:admin'
   NeutronDhcpAgentsPerNetwork: 2
   HeatConvergenceEngine: true
   HeatCorsAllowedOrigin: '*'