diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml
index a8db48c..1944b35 100644
--- a/snap/snap-openstack.yaml
+++ b/snap/snap-openstack.yaml
@@ -1,25 +1,33 @@
 setup:
+  users:
+    snap-keystone: [snap-keystone]
+  default-owner: "root:snap-keystone"
   dirs:
+    - "{snap_common}/etc"
     - "{snap_common}/etc/keystone"
     - "{snap_common}/etc/keystone/conf.d"
-    - "{snap_common}/etc/keystone/fernet-keys"
     - "{snap_common}/etc/nginx"
     - "{snap_common}/etc/uwsgi"
+    - "{snap_common}/fernet-keys"
     - "{snap_common}/lib"
     - "{snap_common}/lock"
     - "{snap_common}/log"
     - "{snap_common}/run"
   templates:
-    keystone-snap.conf.j2: "{snap_common}/etc/keystone/conf.d/keystone-snap.conf"
     admin.ini.j2: "{snap_common}/etc/uwsgi/admin.ini"
-    public.ini.j2: "{snap_common}/etc/uwsgi/public.ini"
     keystone-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/keystone.conf"
-    # NOTE(coreycb): drop root from nginx.conf template when support lands for
-    # dropping permissions to regular user.
+    keystone-snap.conf.j2: "{snap_common}/etc/keystone/conf.d/keystone-snap.conf"
     nginx.conf.j2: "{snap_common}/etc/nginx/nginx.conf"
+    public.ini.j2: "{snap_common}/etc/uwsgi/public.ini"
   copyfiles:
     "{snap}/etc/keystone": "{snap_common}/etc/keystone"
     "{snap}/usr/conf": "{snap_common}/etc/nginx"
+  rchown:
+    "{snap_common}/fernet-keys": "snap-keystone:snap-keystone"
+    "{snap_common}/lib": "snap-keystone:snap-keystone"
+    "{snap_common}/lock": "snap-keystone:snap-keystone"
+    "{snap_common}/log": "snap-keystone:snap-keystone"
+    "{snap_common}/run": "snap-keystone:snap-keystone"
 entry_points:
   keystone-manage:
     binary: "{snap}/bin/keystone-manage"
@@ -27,10 +35,14 @@ entry_points:
       - "{snap_common}/etc/keystone/keystone.conf"
     config-dirs:
       - "{snap_common}/etc/keystone/conf.d"
+    run-as:
+      snap-keystone: [snap-keystone]
   keystone-uwsgi:
     type: uwsgi
     uwsgi-dir: "{snap_common}/etc/uwsgi"
     log-file: "{snap_common}/log/uwsgi.log"
+    run-as:
+      snap-keystone: [snap-keystone]
   keystone-nginx:
     type: nginx
     config-file: "{snap_common}/etc/nginx/nginx.conf"
diff --git a/snap/templates/keystone-snap.conf.j2 b/snap/templates/keystone-snap.conf.j2
index 96b211e..fca2577 100644
--- a/snap/templates/keystone-snap.conf.j2
+++ b/snap/templates/keystone-snap.conf.j2
@@ -8,4 +8,4 @@ lock_path = {{ snap_common }}/lock
 
 [fernet_tokens]
 # Fernet key repository
-key_repository = {{ snap_common }}/etc/fernet-keys
+key_repository = {{ snap_common }}/fernet-keys
diff --git a/snap/templates/nginx.conf.j2 b/snap/templates/nginx.conf.j2
index c02138e..653ff03 100644
--- a/snap/templates/nginx.conf.j2
+++ b/snap/templates/nginx.conf.j2
@@ -1,4 +1,4 @@
-user root;
+user snap-keystone snap-keystone;
 worker_processes auto;
 pid {{ snap_common }}/run/nginx.pid;
 
diff --git a/snapcraft.yaml b/snapcraft.yaml
index 1a7e636..b0aa2fb 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -73,7 +73,7 @@ parts:
         - etc/keystone/*.json
         - etc/keystone/*.templates
     stage: [$etc]
-    snap: [$etc]
+    prime: [$etc]
   nginx:
     source: http://www.nginx.org/download/nginx-1.13.0.tar.gz
     plugin: autotools