diff --git a/cinder/api/v3/attachments.py b/cinder/api/v3/attachments.py
index 6c457920f9b..4d3bdbb1635 100644
--- a/cinder/api/v3/attachments.py
+++ b/cinder/api/v3/attachments.py
@@ -24,6 +24,7 @@ from cinder.api import validation
 from cinder import exception
 from cinder.i18n import _
 from cinder import objects
+from cinder.policies import attachments as attachment_policy
 from cinder import utils
 from cinder.volume import api as volume_api
 
@@ -268,6 +269,8 @@ class AttachmentsController(wsgi.Controller):
         volume_ref = objects.Volume.get_by_id(
             context,
             attachment_ref.volume_id)
+        context.authorize(attachment_policy.COMPLETE_POLICY,
+                          target_obj=attachment_ref)
         attachment_ref.update({'attach_status': 'attached'})
         attachment_ref.save()
         volume_ref.update({'status': 'in-use', 'attach_status': 'attached'})
diff --git a/cinder/policies/attachments.py b/cinder/policies/attachments.py
index 1378e4477fc..c177a65a8e8 100644
--- a/cinder/policies/attachments.py
+++ b/cinder/policies/attachments.py
@@ -21,6 +21,7 @@ from cinder.policies import base
 CREATE_POLICY = 'volume:attachment_create'
 UPDATE_POLICY = 'volume:attachment_update'
 DELETE_POLICY = 'volume:attachment_delete'
+COMPLETE_POLICY = 'volume:attachment_complete'
 MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume'
 
 attachments_policies = [
@@ -54,6 +55,16 @@ attachments_policies = [
                 'path': '/attachments/{attachment_id}'
             }
         ]),
+    policy.DocumentedRuleDefault(
+        name=COMPLETE_POLICY,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Mark a volume attachment process as completed (in-use)",
+        operations=[
+            {
+                'method': 'POST',
+                'path': '/attachments/{attachment_id}/action (os-complete)'
+            }
+        ]),
     policy.DocumentedRuleDefault(
         name=MULTIATTACH_BOOTABLE_VOLUME_POLICY,
         check_str=base.RULE_ADMIN_OR_OWNER,
diff --git a/doc/source/configuration/block-storage/samples/policy.json.inc b/doc/source/configuration/block-storage/samples/policy.json.inc
index c51f564af13..1cd641ce58c 100644
--- a/doc/source/configuration/block-storage/samples/policy.json.inc
+++ b/doc/source/configuration/block-storage/samples/policy.json.inc
@@ -108,6 +108,7 @@
     "volume:attachment_create": "",
     "volume:attachment_update": "rule:admin_or_owner",
     "volume:attachment_delete": "rule:admin_or_owner",
+    "volume:attachment_complete": "rule:admin_or_owner",
 
     "snapshot_extension:snapshot_actions:update_snapshot_status": "",
     "snapshot_extension:snapshot_manage": "rule:admin_api",