diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 629bd07c..95d0cbb7 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -111,6 +111,18 @@
 #   (Optional) Tenant for Cinder v3 user.
 #   Defaults to 'services'.
 #
+# [*roles*]
+#   (Optional) List of roles assigned to Cinder user
+#   Defaults to ['admin']
+#
+# [*roles_v2*]
+#   (Optional) List of roles assigned to Cinder v2 user
+#   Defaults to ['admin']
+#
+# [*roles_v3*]
+#   (Optional) List of roles assigned to Cinder v3 user
+#   Defaults to ['admin']
+#
 # [*public_url_v2*]
 #   (Optional) The v2 endpoint's public url.
 #   This url should *not* contain any trailing '/'.
@@ -193,6 +205,9 @@ class cinder::keystone::auth (
   $tenant                 = 'services',
   $tenant_user_v2         = 'services',
   $tenant_user_v3         = 'services',
+  $roles                  = ['admin'],
+  $roles_v2               = ['admin'],
+  $roles_v3               = ['admin'],
   $email                  = 'cinder@localhost',
   $email_user_v2          = 'cinderv2@localhost',
   $email_user_v3          = 'cinderv3@localhost',
@@ -264,6 +279,7 @@ class cinder::keystone::auth (
     password            => $password,
     email               => $email,
     tenant              => $tenant,
+    roles               => $roles,
   }
 
   keystone::resource::service_identity { 'cinderv2':
@@ -278,6 +294,7 @@ class cinder::keystone::auth (
     password            => $password_user_v2,
     email               => $email_user_v2,
     tenant              => $tenant_user_v2,
+    roles               => $roles_v2,
     public_url          => $public_url_v2,
     admin_url           => $admin_url_v2,
     internal_url        => $internal_url_v2,
@@ -295,6 +312,7 @@ class cinder::keystone::auth (
     password            => $password_user_v3,
     email               => $email_user_v3,
     tenant              => $tenant_user_v3,
+    roles               => $roles_v3,
     public_url          => $public_url_v3,
     admin_url           => $admin_url_v3,
     internal_url        => $internal_url_v3,
diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp
index 780b849e..e39d65c8 100644
--- a/manifests/keystone/authtoken.pp
+++ b/manifests/keystone/authtoken.pp
@@ -165,6 +165,16 @@
 #  (in seconds). Set to -1 to disable caching completely. Integer value
 #  Defaults to $::os_service_default.
 #
+# [*service_token_roles*]
+#  (Optional) A choice of roles that must be present in a service token.
+#  Service tokens are allowed to request that an expired token
+#  can be used and so this check should tightly control that
+#  only actual services should be sending this token. Roles
+#  here are applied as an ANY check so any role in this list
+#  must be present. For backwards compatibility reasons this
+#  currently only affects the allow_expired check. (list value)
+#  Defaults to $::os_service_default.
+#
 # [*service_token_roles_required*]
 #   (optional) backwards compatibility to ensure that the service tokens are
 #   compared against a list of possible roles for validity
@@ -224,6 +234,7 @@ class cinder::keystone::authtoken(
   $manage_memcache_package        = false,
   $region_name                    = $::os_service_default,
   $token_cache_time               = $::os_service_default,
+  $service_token_roles            = $::os_service_default,
   $service_token_roles_required   = $::os_service_default,
   # DEPRECATED PARAMETERS
   $check_revocations_for_cached   = undef,
@@ -277,6 +288,7 @@ class cinder::keystone::authtoken(
     manage_memcache_package        => $manage_memcache_package,
     region_name                    => $region_name,
     token_cache_time               => $token_cache_time,
+    service_token_roles            => $service_token_roles,
     service_token_roles_required   => $service_token_roles_required,
   }
 }
diff --git a/releasenotes/notes/keystone_authtoken-service_token_roles-e698dd87b9cd2598.yaml b/releasenotes/notes/keystone_authtoken-service_token_roles-e698dd87b9cd2598.yaml
new file mode 100644
index 00000000..410bb3ce
--- /dev/null
+++ b/releasenotes/notes/keystone_authtoken-service_token_roles-e698dd87b9cd2598.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    New hieradata, cinder::keystone::authtoken::service_token_roles, is
+    introduced so that specific role can be assigned to the service user
+    who can use service token feature.
+  - |
+    New hieradata, cinder::keystone::roles, roles_v2 and roles_v3 are
+    introduced to configure customized role for cinder user in keystone
+    identity.
diff --git a/spec/classes/cinder_keystone_auth_spec.rb b/spec/classes/cinder_keystone_auth_spec.rb
index 5ed0a67c..50fb0061 100644
--- a/spec/classes/cinder_keystone_auth_spec.rb
+++ b/spec/classes/cinder_keystone_auth_spec.rb
@@ -48,6 +48,7 @@ describe 'cinder::keystone::auth' do
     context 'when overriding parameters' do
       before do
         params.merge!({
+          :roles           => ['admin', 'service'],
           :region          => 'RegionThree',
           :public_url_v2   => 'https://10.0.42.1:4242/v42/%(tenant_id)s',
           :admin_url_v2    => 'https://10.0.42.2:4242/v42/%(tenant_id)s',
@@ -58,6 +59,11 @@ describe 'cinder::keystone::auth' do
         })
       end
 
+      it { is_expected.to contain_keystone_user_role('cinder@services').with(
+        :ensure  => 'present',
+        :roles   => ['admin', 'service']
+      )}
+
       it { is_expected.to contain_keystone_endpoint('RegionThree/cinderv2::volumev2').with(
         :ensure       => 'present',
         :public_url   => 'https://10.0.42.1:4242/v42/%(tenant_id)s',
diff --git a/spec/classes/cinder_keystone_authtoken_spec.rb b/spec/classes/cinder_keystone_authtoken_spec.rb
index 23790997..b20121a5 100644
--- a/spec/classes/cinder_keystone_authtoken_spec.rb
+++ b/spec/classes/cinder_keystone_authtoken_spec.rb
@@ -41,6 +41,7 @@ describe 'cinder::keystone::authtoken' do
         is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value('<SERVICE DEFAULT>')
       end
     end
@@ -48,39 +49,40 @@ describe 'cinder::keystone::authtoken' do
     context 'when overriding parameters' do
       before do
         params.merge!({
-          :www_authenticate_uri                 => 'https://10.0.0.1:9999/',
-          :username                             => 'myuser',
-          :password                             => 'mypasswd',
-          :auth_url                             => 'https://127.0.0.1:5000',
-          :project_name                         => 'service_project',
-          :user_domain_name                     => 'domainX',
-          :project_domain_name                  => 'domainX',
-          :insecure                             => false,
-          :auth_section                         => 'new_section',
-          :auth_type                            => 'password',
-          :auth_version                         => 'v3',
-          :cache                                => 'somevalue',
-          :cafile                               => '/opt/stack/data/cafile.pem',
-          :certfile                             => 'certfile.crt',
-          :delay_auth_decision                  => false,
-          :enforce_token_bind                   => 'permissive',
-          :http_connect_timeout                 => '300',
-          :http_request_max_retries             => '3',
-          :include_service_catalog              => true,
-          :keyfile                              => 'keyfile',
-          :memcache_pool_conn_get_timeout       => '9',
-          :memcache_pool_dead_retry             => '302',
-          :memcache_pool_maxsize                => '11',
-          :memcache_pool_socket_timeout         => '2',
-          :memcache_pool_unused_timeout         => '61',
-          :memcache_secret_key                  => 'secret_key',
-          :memcache_security_strategy           => 'ENCRYPT',
-          :memcache_use_advanced_pool           => true,
-          :memcached_servers                    => ['memcached01:11211','memcached02:11211'],
-          :manage_memcache_package              => true,
-          :region_name                          => 'region2',
-          :token_cache_time                     => '301',
-          :service_token_roles_required         => false,
+          :www_authenticate_uri           => 'https://10.0.0.1:9999/',
+          :username                       => 'myuser',
+          :password                       => 'mypasswd',
+          :auth_url                       => 'https://127.0.0.1:5000',
+          :project_name                   => 'service_project',
+          :user_domain_name               => 'domainX',
+          :project_domain_name            => 'domainX',
+          :insecure                       => false,
+          :auth_section                   => 'new_section',
+          :auth_type                      => 'password',
+          :auth_version                   => 'v3',
+          :cache                          => 'somevalue',
+          :cafile                         => '/opt/stack/data/cafile.pem',
+          :certfile                       => 'certfile.crt',
+          :delay_auth_decision            => false,
+          :enforce_token_bind             => 'permissive',
+          :http_connect_timeout           => '300',
+          :http_request_max_retries       => '3',
+          :include_service_catalog        => true,
+          :keyfile                        => 'keyfile',
+          :memcache_pool_conn_get_timeout => '9',
+          :memcache_pool_dead_retry       => '302',
+          :memcache_pool_maxsize          => '11',
+          :memcache_pool_socket_timeout   => '2',
+          :memcache_pool_unused_timeout   => '61',
+          :memcache_secret_key            => 'secret_key',
+          :memcache_security_strategy     => 'ENCRYPT',
+          :memcache_use_advanced_pool     => true,
+          :memcached_servers              => ['memcached01:11211','memcached02:11211'],
+          :manage_memcache_package        => true,
+          :region_name                    => 'region2',
+          :token_cache_time               => '301',
+          :service_token_roles            => ['admin'],
+          :service_token_roles_required   => true,
         })
       end
 
@@ -116,6 +118,7 @@ describe 'cinder::keystone::authtoken' do
         is_expected.to contain_cinder_config('keystone_authtoken/memcached_servers').with_value('memcached01:11211,memcached02:11211')
         is_expected.to contain_cinder_config('keystone_authtoken/region_name').with_value(params[:region_name])
         is_expected.to contain_cinder_config('keystone_authtoken/token_cache_time').with_value(params[:token_cache_time])
+        is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles').with_value(params[:service_token_roles])
         is_expected.to contain_cinder_config('keystone_authtoken/service_token_roles_required').with_value(params[:service_token_roles_required])
       end